Meeting Upcoming GDPR Requirements While Maximizing the Full Value of Data Analytics

Abstract

The new obligations imposed by the General Data Protection Regulation (GDPR) do not prohibit the use of personal data for analytics or other beneficial secondary uses. But they do require the adoption of new technical and organizational measures to protect that data. The GDPR explicitly points to pseudonymizing as one such measure that can help meet the requirements of several of its provisions. The GDPR further recognizes differing levels of de-identi cation in a way that provides incentives for organizations to adopt the optimal type and level of de-identification that can help them use personal data for bene cial purposes while meeting their compliance obligations and protecting the privacy of individuals. By enabling the use of “Controlled Linkable Data” (as described in this White Paper) that retains the utility of personal data while helping to meet organizations’ compliance obligations and to significantly reduce their risk of liability, Anonos® BigPrivacy® technology can help organizations navigate and meet these new GDPR requirements. Thus, Anonos BigPrivacy technology can ease regulatory burdens and be a key component of an overall GDPR compliance program. The body of this paper describes in detail the regulatory background, technological innovations, and practical applications of Controlled Linkable Data, leading to the maximization of data value and individual privacy in a GDPR-compliant manner. First, in Section III, we introduce the concept of Controlled Linkable Data in the context of the GDPR. Next, in Section IV, we describe the GDPR’s new requirements, focusing on the distinction between privacy by design and data protection by default, and noting that the former is merely a subset of the latter, making it insuf cient to satisfy the GDPR’s stringency. We also introduce the essential concept of Controlled Linkable Data. In Section V, we explain how Controlled Linkable Data enables a more powerful form of de-identification, one encouraged by the GDPR, but which has previously not been achievable by technical methods. This leads to the conclusion that “data protection over the full lifecycle of data by leveraging technical and organizational measures, including pseudonymisation, [ensures] that, by default, personal data are not made accessible without the individual’s intervention to an inde nite number of natural persons.” Next, Section VI analyzes numerous relevant sections of the GDPR (speci cally, Articles 5, 6, 11(2), 12(2), 15-22, 32-36, 40, 42, 82 and 88), showing how Controlled Linkable Data helps satisfy the specific GDPR requirements. Last, in light of this understanding of the requirements, limitations, exclusions and overall principles of the GDPR, Section VII explains the technical basis of Anonos BigPrivacy technology, how it implements Controlled Linkable Data, and how this solution addresses GDPR compliance concerns for all parties: data controllers, regulators and data subjects. Global firms that gather, use or store GDPR personal data should consider the possibility that Controlled Linkable Data as described in this White Paper enables secondary uses of data while ensuring compliance with GDPR requirements.