Speed to Insight

Centralised approaches to data protection create tensions between the obligation of compliance teams to protect their organisation against threats, liability and business disruptions from data misuse, and the desire of business teams to generate digital insights. Many compliance teams advise the use of anonymisation to reconcile these tensions. However, as explained in detail in the TECHNOLOGY section, anonymisation:

• Only works for centralised processing; and
• Results in lost linkability and the full context of data necessary for sophisticated data analytics, AI, ML, sharing, combining or enriching.

Business teams are looking for digital insights that are sometimes only available from decentralised processing. This results in increasingly widespread practices of sharing, combining and enriching data with customer, partner or third-party data sources.

Compliance teams cannot claim the benefits of anonymisation in good faith when decentralised processing makes it impossible to be aware of “…all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly” as required for data to satisfy the requirements for anonymisation under the GDPR.³⁴

Anonos has spent the past eight years exploring, in depth, the GDPR and predecessor EU data protection laws to understand “Data Safe Havens” – the following explicitly recognised combinations of GDPR legal & technical safeguards that maximise Speed To Insight, Lawfully & Ethically.

These Data Safe Havens leverage GDPR-compliant principles of Pseudonymisation³⁵ and Data Protection by Design and by Default,³⁶ together with patented Anonos state-of-the-art decentralised data protection techniques that enable Controlled Linkable Data.³⁷ This combination does not require the loss of linkability and full context of data for sophisticated data analytics, AI, ML, sharing, combining, or enriching.

Anonos’ patented BigPrivacy software and API-based solutions embed policy, privacy and security controls into data flows to support the GDPR Data Safe Havens described below.

Anonos allows organisations to comply with the GDPR while achieving Speed To Insight, Lawfully & Ethically. This is what differentiates Anonos and delivers substantial value to organisations capitalising on this advantage.

Data Safe Haven #1: How to Lawfully Process Pre-GDPR Data

Many organisations have historically relied on general broad-based consent as their lawful basis for collecting, storing and other processing of pre-GDPR EU personal data (“Legacy Data”). However, under the GDPR it is no longer legal to possess, store (in either encrypted or unencrypted format) or process Legacy Data since such broad-based consent often does not satisfy the GDPR's (or local case law related) consent requirements. The GDPR has no “grandfather provision” or “exemption” that allows for ongoing possession, storage or use of (now) unlawful Legacy Data.³⁸

This exposes organisations to:

• Injunctions ordering the immediate suspension of data processing;
• Substantial fines for a failure to delete now illegal Legacy Data; and
• The unwillingness of customers, partners and third parties to use, share or combine Legacy Data due to potential liability and disruption to operations.

The GDPR-audited Pseudonymisation capabilities of BigPrivacy SaveYourData^® software enables data controllers to transform Legacy Data.³⁹ This transformation, together with appropriate Data Protection Impact Assessment processes⁴⁰ can enable data controllers to exercise their “one off” opportunity to transform Legacy Data into a state that supports Legitimate Interests processing, rather than requiring the wholesale deletion of decades worth of valuable information to the detriment of data controllers and society as a whole.

This means that data controllers can avoid:

• Having to delete valuable Legacy Data;
• The risk of injunctions ordering immediate suspension of data processing;
• Exposure to significant fines; and
• Lost value from not being able to use, share, combine or enrich Legacy Data with customers, partners or third parties.

Use Case: Lawful Processing of Pre-GDPR Clinical Trial Data

EU-based clinical trial studies conducted prior to May 25, 2018⁴² relied on general broad-based informed consent to comply with then-current EU data protection laws. Although this consent might comply with informed consent requirements under member-state national clinical trial regulations, it might not in all cases satisfy the separate and new requirements of GDPR-compliant consent for data protection purposes.

If Legacy Data obtained during these pre-GDPR clinical trials is stored to adhere to (amongst others) clinical trial obligations, such storage may represent unlawful processing for GDPR purposes. However, if in addition to having secured informed consent for clinical trial purposes, Legacy Data is transformed to support the new legal basis of Legitimate Interests (cumulated with the basis for processing health data for statistical, historical and scientific research under Article 9 (2)(j)), then ongoing storage may be lawful under the GDPR.

More importantly, the GDPR has introduced a new scheme to the standards of data processing by allowing data to be used for secondary processing purposes. Data controllers may also investigate using Legacy Data for secondary processing leading to the creation of new scientific breakthroughs and discoveries.

Rather than losing access to valuable data due to obligations to delete Legacy Data, this data may be transformed to support Legitimate Interests processing by implementing technical and organisational safeguards that meet the required legal and ethical requirements under the GDPR.

Data Safe Haven #2: Legitimate Interests Lawful Basis

There are significant questions as to the legality of consent as a valid basis under the GDPR for sophisticated data analysis, AI, ML, sharing, combining, or enriching.⁴³ This affects the value of these projects and the digital insights that can be extracted from them lawfully and ethically. Anonos BigPrivacy leverages regulatory requirements as a competitive advantage to balance the increasing demand for digital insights. In many situations, organisations can overcome the limitations of consent by using GDPR-compliant Pseudonymisation to enable Legitimate Interests as a lawful basis to support processing:

• That cannot be described with required specificity at the time of initial data collection.
• To avoid having to request re-consent each time a different processing of data is desired.
• To avoid disruption to processing triggered by the revocation of consent.

For sophisticated data analysis, AI, ML, sharing, combining, or enriching to be legal under the GDPR (and evolving “GDPR-like” data protection laws), technology and organisational safeguards are required that support the requirements for Legitimate Interests processing. These safeguards must support the “Balancing of Interests” test and other tests necessary for valid Legitimate Interests based processing.

Anonos BigPrivacy supports dynamism, functional separatio⁴⁴ and other requirements for GDPR compliant Legitimate Interests processing, putting in place the necessary technical safeguards, and has received nine granted international patents in recognition of the utility and novelty of its inventions in this area.⁴⁵

A critical component of the patented BigPrivacy process is supporting the use of the Legitimate Interests lawful basis, so that the creation, use, sharing, combining and enriching of BigPrivacy Variant Twin data assets is GDPR-compliant (see the TECHNOLOGY section above for further details).

Lawful Legitimate Interests processing requires more than mere words and “cannot be equated to the interest of companies to make a profit from our personal data” as made clear in the case filed by Privacy International against Acxiom and Oracle (data brokers), Equifax and Experian (credit reference agencies), and Criteo, Quantcast and Tapad (ad-tech companies) with data protection authorities in France, Ireland, and the UK.⁴⁶

The first two tests are relatively easy to satisfy, but the third test requires technical and organisational safeguards to tip the balance in favour of the data controller. The three tests are:

• Legitimate Interests test;
• Necessity test; and
• Balancing of Interests test which requires the application of technical and organisational safeguards to balance the interests of the data controller (or third party) against the individual data subjects’ rights and freedoms.

Without technical and organisational safeguards that satisfy the Balancing of Interests test, many data processing activities that were commonly practiced for decades are no longer lawful under the GDPR (and might, in fact, never have been lawful in pre-GDPR times since the Legitimate Interests test has often not been executed correctly).

“Consent” as defined under the GDPR requires specificity that is often impossible to satisfy for sophisticated data analysis, AI, ML, sharing, combining, or enriching. It is also not possible to secure legally binding consent for processing activities in the future that cannot be described at the time of data collection. This makes it impossible to rely on consent as a lawful basis for many kinds of sophisticated data analysis, AI, ML, sharing, combining, and enriching that are critical for developing digital insights.

BigPrivacy uniquely helps to support Legitimate Interests processing, as a complement to consent, in numerous ways, including:

• Patented dynamic de-identification functionality that separates information value from identity to defeat unauthorised reidentification between data sets via the Mosaic Effect;⁴⁷ and
• Patented Variant Twin data that can be sourced, curated, combined, shared and processed on premises and in the cloud, in compliance with applicable laws.

Benefits of BigPrivacy-enabled Legitimate Interests processing under the GDPR include the following:

• Right to Restrict Processing: If a data controller uses GDPR-compliant Legitimate Interests processing, under GDPR Article 18(1)(d) they will not have an obligation to comply with claims to restrict processing if it is proven that the controller's interests prevail over the rights and interests of the data subject.
• Right to Data Portability: Under GDPR Article 20(1), data controllers using Legitimate Interests processing are not subject to the right of portability which applies to processing based on consent or contract.
• Right to Object: Data subjects do not have the right to object to processing under GDPR Article 21(1) if a data controller uses GDPR-compliant Legitimate Interests processing and can prove compelling interests that override the rights and interests of the individual. However, data subjects always have the right under Article 21(3) to not receive direct marketing outreach resulting from data processing.

When using BigPrivacy to support Legitimate Interests processing:

• The data controller should put data subjects on notice at the time of initial data collection that:

  - It is relying on Legitimate Interests as a lawful basis for processing (e.g. to perform statistical analysis to improve product and service offerings, to enhance user experience, etc.);
  - State-of-the-art GDPR-compliant Pseudonymisation and other safeguards are used to support Legitimate Interests processing and ensure that the data controller’s interests are balanced with the data subjects’ interests by limiting any undue impact on the data subject; and
  - Data subjects have the unconditional right to opt out of receiving any direct marketing enabled by the Legitimate Interests processing.⁴⁸

• The data controller should also document the results of the three-part test for Legitimate Interests outlined above, as evidence of greater accountability within its Data Protection Impact Assessment process.

Use Case: Avoiding Undesirable Consequences of Withdrawal of Consent

EU clinical trial regulations deal with the withdrawal of consent by study participants with less far reaching impacts than the separate issue of withdrawal of consent for purposes of the GDPR. The latter can potentially lead to the termination of entire studies based on a request for withdrawal by a single study participant. This highly undesirable result can be avoided by opting for the legal basis of Legitimate Interests⁴⁹ for GDPR compliance purposes only, while separately complying with informed consent requirements for purposes of complying with clinical trial regulations.

The reason for this tension between informed consent requirements under EU clinical trial regulations and GDPR requirements for consent is the imbalance of power between the participant and the sponsor/investigator of a clinical trial. This imbalance of power means that consent frequently cannot be “freely given” within the requirements of the GDPR.

The European Data Protection Board (EDPB) considers that “this will be the case when a participant is not in good health conditions, when participants belong to an economically or socially disadvantaged group or in any situation of institutional or hierarchical dependency.”⁵⁰

Rather than relying on GDPR-compliant consent in situations where the national requirements for clinical trial informed consent are too broad or vague because they were not designed under GDPR principles, the EDPB recommends the legal basis of Legitimate Interests for GDPR purposes.⁵¹ So long as national requirements for clinical trial informed consent are satisfied, Legitimate Interests may be used as a legal basis for GDPR data protection purposes which, combined with Article 9(2)(j) provided there is a national law in place,⁵² helps to avoid the undesirable consequences of the revocation of GDPR-based consent. However, as described above, one can only use Legitimate Interests for GDPR purposes if appropriate technical and organisational safeguards are implemented.

Data Safe Haven #3: Lawful Secondary Processing

Anonos BigPrivacy enables organisations to ensure secondary processing is “compatible” with the original primary purpose through Pseudonymisation and functional separation⁵³ of personal data. Under the GDPR, when an organisation processes personal data obtained for a particular permitted purpose, it cannot process it further except for purposes that are compatible.⁵⁴

However, “further processing” of personal data may be deemed compatible with the original purpose if the processing satisfies the requirements of:

• Article 6(4) with respect to further “processing for a purpose other than that for which the personal data have been collected…not based on the data subject’s consent”; or
• Article 89(1) with respect to processing conducted for “archiving purposes in the public interest,” “scientific or historical research purposes,” or “statistical purposes.” The GDPR highlights Pseudonymisation as a safeguard to help ensure that such further processing is lawful.⁵⁵

Further processing for “archiving purposes in the public interest,” “scientific or historical research purposes,” or “statistical purposes” is specifically considered not to be incompatible with the initial purposes if appropriate safeguards for data subjects are provided to ensure, in particular, data minimisation. Measures may include Pseudonymisation.⁵⁶ Pseudonymisation is also an explicitly recognised safeguard under Article 6(4)(e) to help ensure that any such further processing of personal data “[are] compatible with the purpose for which the personal data are initially collected” in compliance with Article 5(1)(b) (“purpose limitation”) requirements. Accordingly, Anonos BigPrivacy’s Pseudonymisation and functional separation capabilities help to enable lawful and ethical secondary processing.

If organisations cannot process data for compatible secondary processing and “statistical purposes” to perform predictive analytics, then huge potential benefits are lost for data subjects, data controllers and society as a whole. Southampton University (UK) professors highlight the benefits of “a more constructive interpretation of the GDPR…on the basis of a dynamic approach to data protection law” that distinguishes between three different “…compliance stages (data collection, data analytics, individual impact)….” ⁵⁷ Adopting this three-stage perspective with the capabilities of Anonos BigPrivacy in mind:

• Data Collection Stage: Anonos BigPrivacy supports Legitimate Interests-based data collection;
• Data Analytics Stage: BigPrivacy supports creation of non-identifying, dynamically de-identified derivative versions of original data referred to as “Variant Twins” for analysis; and
• Individual Impact Stage: After the data controller has gathered, normalised, and analysed non identifying Variant Twin data “in a way that equally respects their marketing interests and the privacy of users at large,”⁵⁸ then the Pseudonymisation/de-identification rules can be reversed under privacy-respectful controlled conditions to enable outreach to data subjects based on Legitimate Interests or consent.

Use Case: Banking: Lawful Marketing (Secondary Processing) to Customers

In this example use case, a Bank collects personal data from customers and puts the customers on notice at the time of initial data collection that the Bank relies on Article 6(1)(f) Legitimate Interests processing to perform statistical analysis to improve product and service offerings for customers and to enhance future user experience.

This is done by leveraging GDPR-certified Pseudonymisation to ensure that the data controller’s interests are balanced with the data subjects’ rights and interests and by enforcing safeguards that limit the undue impact on the data subjects.

The Bank desires to use the data to improve product and service offerings and to enhance the user experience, including data that was previously acquired from ex-customers of the Bank. The Bank undertakes the following analysis under GDPR Article 6(4) to evaluate the lawfulness of using the data collected to ensure that use of such personal data is compatible for the purpose for which the data were initially collected.

Article 6(4)(a)-(e) Further Processing Analysis:

• any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
  
  There is a direct link between the original use of the data from active customers and the intended further use of the data from past customers to improve Bank product and service offerings and to enhance the user experience for Bank customers overall.
• the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
  
  The data was initially collected in the context of a Bank-customer relationship which is compatible with the intended further use of data from past customers to improve Bank product and service offerings and to enhance the user experience for Bank customers overall.
• the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
  
  The nature of the personal data in question does not fit within any of the special categories of data.
• the possible consequences of the intended further processing for data subjects;
  
  The intended further use of the data from past customers to improve Bank product and service offerings and enhance the user experience for Bank customers overall will not have adverse impacts on the data subjects who were prior customers of the bank.
• the existence of appropriate safeguards, which may include encryption or pseudonymisation.
  
  The Bank leverages BigPrivacy to ensure that the data controller’s interests are balanced with the data subjects’ rights and interests by enforcing safeguards to limit undue impact on the data subjects by supporting GDPR-compliant principles of Pseudonymisation and Data Protection by Design and by Default, together with patented Anonos state-of-the-art decentralised data protection techniques.

Assuming the Bank properly documents the forgoing analysis under Article 6(4), it is reasonable to conclude that the desired further processing will be compatible with the purpose for which the personal data were initially collected.

Data Safe Haven #4: Data Protection by Design and by Default

The GDPR further imposes new requirements for Data Protection by Design and by Default which means organisations must integrate or ‘bake in’ significant data protection capabilities into processing practices, from the design stage through the full data lifecycle. Previously known as ‘Privacy by Design’, this concept has long been part of data protection law. However, two key changes which are newly mandated under the GDPR are:

• It is now a legal mandate to support more than just privacy by design: Data Protection by Design and by Default requires the most stringent implementation of privacy by design; and
• It has heightened requirements, including the need to support the GDPR principles of data minimisation and purpose limitation to limit data use to the minimum extent and time necessary to support each specific product or service authorised by a data subject.

The obligation to support Data Protection by Design and by Default as newly-defined under the GDPR requires each organisation “to be clear in advance about what its plans for secondary processing of personal data intends to achieve…[including] the upfront design of data processing to demonstrate that this thinking has taken place and to ensure safeguards measures can be implemented to mitigate any notable risk areas identified.”⁵⁹ It also notes that “data minimization should be engineered relative to purposes before the start of processing, at the time of the determination of the means.”⁶⁰

This essentially means that less, rather than more, personal data must be provided, used or disclosed or otherwise processed for a given purpose. How much less? Only the minimum amount needed to achieve the authorised purpose. BigPrivacy supports GDPR-compliant Pseudonymisation, which dynamically enforces data minimisation via fine-grained access controls leveraging Controlled Linkable Data®.⁶¹ This enables the disclosure of only the “minimum identifying data” to those who need to know, all on a case-by-case basis.

While the focus of data minimisation has usually been on minimising the amount of personal data collected at the acquisition stage, data minimisation also applies to the post-collection use of personal data. Accordingly, BigPrivacy helps support data use minimisation within an organisation by enforcing selective access to data, ensuring that an individual employee only has access to the data required for them to do their job and no more.

In summary, BigPrivacy helps to ensure that only discrete data elements are made available to support minimal authorised use.

BigPrivacy enforces “in-use” risk management by leveraging the most current information about a user, data and environment at the time of disclosure to dynamically enforce the appropriate level of data resolution, as if viewing the data through a “lens.” The lower the magnification, the less identifying the disclosed data is (while still conveying necessary information value), whereas with higher magnification, the more “identifying” the disclosed data becomes. By leveraging BigPrivacy, only the minimum required level of identifying data is revealed for each authorised purpose. This unique resolution level of data disclosed via such “lens” is a Variant Twin of the original underlying data.

With BigPrivacy, productive data use can continue by disclosing Variant Twins⁶² to convey only the necessary information value to accomplish permitted data processing in a privacy-respectful and non identifying manner.

Over the full lifecycle of data, BigPrivacy-enabled Data Protection by Design and by Default:

• Maximises authorised uses of data while minimising unauthorised uses of data – all by minimising reidentification risks;
• Facilitates compliance with and auditability against privacy data protection policies by enabling the mathematical, statistical and/or actuarial measurement and monitoring of data use;
• Enables common data store(s) to simultaneously programmatically support data protection policies applicable to different use cases – and to do so simultaneously; and
• Adjusts in real-time to the changing requirements of policies by dynamically modifying the intelligible form of data into which protected data are transformed.

In the figure below, the first column represents the effect of binary security techniques (like encryption) where the top green gear reflects the value of original data (in unprotected form) and the empty gear below represents the value of the data when it is in a protected form, rendering it unusable since the data is unusable in its protected form.

The second column illustrates the reduction in data value – from the full green gear at the top to the half gear at the bottom representing reduced value because of: (i) restrictions of centralised-only data applications; (ii) the value-reducing impact of traditional approaches to data protection involving suppression, perturbation, masking and generalisation of data; and (iii) the removal of data from the ecosystem due to concerns over the lawful and ethical possession and use of data.

The third column shows how BigPrivacy Data Protection by Design and by Default capabilities enable retention of 100% original source data value represented by the full green gear.

The fourth column illustrates how BigPrivacy enables protection to dynamically flow with data to technologically enforce polices to enable “Speed To Insight, Lawfully and Ethically” represented by the interconnected gears of different colors.

Use Case: Medical Research: Dynamic Data Use Controls

BigPrivacy-enabled Data Protection by Design and by Default empowers data scientists to move beyond the “Middle Ages” approach of repeated, bespoke manual assessments – analogous to monks’ manually copying manuscripts – to better leverage and scale data scientists’ expertise. US National Institutes of Health (“NIH”) Director Elias Zerhouni once testified before Congress that Industrial Age medicine had focused on mass production of “one-size-fits-all” remedies often applied too late in the disease process but suggested that Information Age healthcare technologies could be predictive, preemptive, precise, and participative.⁶³

To support Information Age healthcare, BigPrivacy-enabled Data Protection by Design and by Default can be embedded into data to reduce the risk of reidentification from sharing, combining and enriching.

BigPrivacy-enabled Data Protection by Design and by Default technology makes it much easier to establish that:

• The risk is very small that information which is technologically enforced via pre-approved policies could be used, alone or in combination with other reasonably available information, to identify an individual who is the subject of the information; and
• The methods and results underlying the analysis embodied in each policy are well documented.

These capabilities could provide greater flexibility to Institutional Review Boards (IRBs), Independent Ethics Committees (IECs) and Ethical Review Boards (ERBs) to help overcome the limitations of traditional approaches to medical research. As one example, a study of nearly 600,000 people found 13 surviving adults with genetic abnormalities from which most people die as children. Each of these 13 individuals, therefore, represented an informational goldmine for developing breakthrough treatments (including orphan drugs) or cures to treat those afflicted with genetic abnormalities. But because of the binary, one-time consent the individuals provided, researchers were unable to identify any of the 13 people.

The use of technical and organisational safeguards enabled by BigPrivacy to enforce Data Protection by Design and by Default principles could have allowed the IRB (IEC or ERB) in this study to enable participants to authorise only specific uses of their data initially, with the flexibility to approve later further use in the service of developing breakthrough treatments or cures – while protecting the fundamental rights of the parties involved.

Use Case: Self-Service Business Intelligence: Lawfully & Ethically⁶⁴

Organizations depend on digital insights to achieve competitive advantage and industry leadership. An industry Whitepaper highlights the benefits of self-service business intelligence or “BI” in helping to meet the demand for timely data-driven insights:

Self-service BI is becoming more accessible to satisfy real-time enterprise demands for data. Employees can use self-service BI and visualization tools to perform data analysis and reporting on their own without relying on IT departments. However, self-service BI systems expose organizations to potential liability and disruption of operations if the processing does not comply with legal and ethical obligations.

Anonos patents⁶⁶ cover the use of in-use data protection controls to enforce Data Protection by Design and by Default principles to help ensure that self-service BI remains lawful and ethical.

Example principles include:

• Intercepting queries in real-time.
• Matching a query with policy, security and privacy controls (which may include any privacy enhancement techniques (PET), including data protection, dynamic de-identification, anonymity, pseudonymity, granularization, or obscurity policies).
• Configuring a Variant Twin to reveal only the data that is necessary for an authorized purpose, period, place or other criteria by obfuscating data values.
• Transforming the source data to comply with the Variant Twin requirements.
• Delivering the transformed Variant Twin to the user for self-service analytics in real-time.
• Implementing these capabilities in classical and quantum computing environments to overcome the increasing vulnerability of cryptographic algorithms, otherwise thought to be secure, that can be efficiently broken by a sufficiently powerful quantum computer.

Data Safe Haven #5: Expanded Data Use, Sharing & Combining

The GDPR clarifies and enhances the privacy rights of individual data subjects with new well-known rights such as the “right to be forgotten,” the “right to data portability” and more. However, under GDPR Articles 11(2) and 12(2), if the purposes for which an organisation processes personal data do not or no longer require identification of an individual, and the organisation can show that it is not in a position to identify the data subject, then it does not need to comply with these data subject rights.⁶⁷

If personal data is pseudonymised using BigPrivacy, so that a given controller or processor cannot identify the individuals concerned, such organisation may not be subject to certain obligations. BigPrivacy helps to limit the risk of using personal data by data controllers and processors down the data chain. This enables the data to be used going forward in a “risk-reduced” manner, which dramatically limits the likelihood of data subjects being re-identified.

In addition, non-identifying Variant Twin versions of data processed under the lawful basis of Legitimate Interests become the proprietary data assets of an organisation, with respect to which there is no obligation to provide copies to third parties (which may be competitors – e.g., FinTechs under the second Payment Services Directive (PSD2), a European directive designed to boost competition and the variety of financial services offerings). In addition, the right of data portability under GDPR Article 20 applies only to personal data processed using consent (under Article 6(1)(a) or Article 9(2)(a)) or contract (under Article 6(1)(b)), and not to data processed based on Legitimate Interests.⁶⁸

As long as a controller can prove “compelling legitimate grounds for processing which override the interests, rights and freedoms” of data subjects due to the use of state-of-the-art technical and organisational safeguards (or “for the establishment, exercise or defence of legal claims”), objections by data subjects under Article 21 to using Variant Twin data for Legitimate Interests processing for sophisticated data analysis, AI, ML, sharing, combining, or enriching may be unsuccessful.⁶⁹

In addition, GDPR-compliant Pseudonymisation can alleviate a data controller’s requirements to carry out data subjects’ rights of access under Article 15, rectification under Article 16, and erasure (“right to be forgotten”) under Article 17. Article 11 provides an exemption from these rights in the event that "the controller is able to demonstrate that it is not in a position to identify the data subject." Since the GDPR does not require a controller to hold additional information "for the sole purpose of complying with this Regulation," a data controller may use Pseudonymisation techniques and subsequently delete information that would enable the reversal of the pseudonymisation to identify individual data subjects.⁷⁰

Data that is protected using BigPrivacy Lawful Insights API, as described in the TECHNOLOGY section above, may benefit from expanded use rights as outlined above.

Use Case: Maximising Utility of Research Study Results

In the EU, hospitals and (academic) research centers are obliged when publishing the results of research studies in scientific journals to store the underlying data (often containing identifiable GDPR Article 9 “special category” health data) in a regulated data repository. This is to enable and allow other researchers to (i) verify the study results and (ii) use the data for further research activities. Confronted with this obligation, research institutions often anonymise the data, reducing its utility and value to near-zero. In doing so, they also violate the obligation to enable others to verify study results.

Research institutions would benefit from GDPR-compliant Pseudonymisation using BigPrivacy when transferring such data sets to a regulated data repository. This would safeguard data utility and value for further expanded use, sharing, combining, and enriching. They could then comply with the obligation to minimise the risk that further use from data sharing, combining and enriching can entail (e.g. ensuring data minimisation, protecting the rights of data subjects, proving demonstrable accountability, etc.).

As explained above, BigPrivacy-enabled, GDPR-compliant Pseudonymisation dynamically enforces data minimisation via fine-grained access controls leveraging Controlled Linkable Data.⁷¹ This enables the disclosure of only the “minimum identifying data” to those with a need to know, all on a case-by case basis. By using BigPrivacy-enabled, GDPR-compliant Pseudonymisation, the data controller can protect data while it is in use without compromising the value and utility of the data for further extended use, sharing, combining and enriching purposes.

Data Safe Haven #6: Compliant Cloud Processing Under GDPR

Prior to the GDPR, only customers of Cloud Service Providers (CSPs) had direct liability for non compliance under EU data protection laws. That changed under the GDPR, which introduced direct obligations, liability and exposure that cannot be negotiated away in contracts between CSPs and customers.

CSPs providing services involving EU personal data now have direct obligations, liability and exposure under the GDPR.⁷² In addition, data controllers have an affirmative obligation to “use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of [the GDPR] and ensure the protection of the rights of the data subject.”⁷³

The European Data Protection Supervisor (EDPS) notes that this “obliges the controller to assess whether the guarantees offered by the processor are sufficient. In light of the accountability principle, the controller should be able to prove it has taken all of the elements provided in the Regulation into serious consideration.”⁷⁴

GDPR Recital 28 specifically highlights the benefits of GDPR-compliant Pseudonymisation, such as is enabled by BigPrivacy, including in the context of CSP “as-a-service” offerings. Recital 28 states that “the application of Pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations.”

Recital 78 goes even further by stating, “When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.”

The Cloud Security Alliance (CSA) Code of Conduct for GDPR Compliance highlights the importance of these issues in the requirement that “a pre-condition for relying on cloud computing arrangements is for the controller [cloud client] to perform an adequate risk assessment exercise, including the locations of the servers where the data are processed and the consideration of risks and benefits from a data protection perspective.”⁷⁵

The importance of these matters is further emphasised by the following assessment by the CSA of the decision by the Court of Justice of the European Union (CJEU) in the 2018 Wirtschaftsakademie case (CJEU Case C-210/16):

Data controllers and CSPs bear (effective) “joint and several liability” to compensate data subjects for their material and non-material (non-monetary losses like damage to reputation, emotional distress, pain and suffering, etc.) damage, even if other parties in the supply chain were more at fault. This is because the aim of the GDPR is to ensure data subjects are made whole for any loss or damage they suffer.⁷⁷

Use Case: GDPR Compliant Cloud Processing⁷⁸

Compliance with the GDPR for cloud processing is complicated. A Computerworld article reported that only 12% of 177 global IT organisations understood how GDPR affects cloud services.⁷⁹ The Wirtschaftsakademie ruling by the CJEU emphasises the importance of data controllers and CSPs being joint controllers. As joint controllers, neither the original data controller nor the CSP can abdicate its GDPR compliance obligations via contractual allocation of risk between the parties.

The Wirtschaftsakademie ruling highlights the importance of creating Anonos Variant Twins so that an original data controller retains control over the re-linkability of data to avoid potential liability. By using BigPrivacy, a data controller can share only Variant Twin data with third party “as-a-service” CSP providers, retaining control over identity re-linkability to reduce the risk of unauthorised reidentification. This benefits both the original data controller and the CSP as a result.

Anonos BigPrivacy enables more effective use of cloud computing ecosystems by protecting against liability exposure and risk of business interruptions due to failure to comply with complex cloud related GDPR compliance obligations.