Peter Lancos and Sonal Rattan, co-founders of data protection and date privacy specialists Exate Technology, explain the limitations of encryption for data privacy and why anonymisation offers a better solution.
Many companies rely upon encryption when it comes to protecting data, but not everyone grasps the big difference between data privacy and data security. Encryption is an appropriate tool for data security, but it has limitations when it comes to data privacy. In order to achieve data privacy, then it would be prudent to use pseudonymisation with the ability to be able to anonymise on demand.
Data privacy is the relationship between the collection, use and distribution of data, technology, and the public expectation of privacy and legal issues surrounding them. The challenge of data privacy is how to use data, while simultaneously protecting an individual’s privacy preferences and their personally identifiable information.
Data privacy concerns exist wherever personally identifiable information or other sensitive information is collected, stored, or used, in digital form. Improper control around sensitive data is often the root cause for privacy issues. Sensitive data includes:
- Healthcare records
- Criminal justice investigations and proceedings
- Financial institutions and transactions
- Biological traits, such as genetic material
- Residence and geographic records
- Location-based service and geolocation
- Web surfing behaviour or user preferences using persistent cookies
The methodology required for data privacy is anonymisation, which ensures that the data cannot be linked to an individual/data subject. The Information Commissioner’s Office (ICO) states: “Anonymisation is the process of turning data into a form which does not identify individuals and where identification is not likely to take place.” This means that if, on the balance of probabilities, third parties cross-referencing “anonymised” data with information or knowledge already available to the public cannot identify individuals then data is no longer personal data.”
Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach. As you can see, the two are very different. The main tool utilized for data security is encryption, which is the process of converting information or data into a code, especially to prevent unauthorized access. Encryption is a mathematical function that encodes data in such a way that only authorised users can access it.
One of key reasons that encryption is not sufficient for data privacy is that, as a mathematical formula, it can be broken. As an example, it is interesting to look at the history of encryption. In 1979, the National Bureau of Standards issued a Data Encryption Standard using 56-bit encryption that was unbreakable at the time. By 1999, a mere 20 years later, the encryption could be broken in 22 hours. In 1997, the Advanced Encryption Standard was introduced, consisting of 128-bit encryption. This was expected to take two to the 55th power years to break. We are now 20 years on, and there is talk of quantum computers being able to break all encryption.
There are 3 specific use cases for anonymisation worth highlighting:
Data Privacy Regulation: Recital 26 of the GDPR defines anonymized data as “data rendered anonymous in such a way that the data subject is not or no longer identifiable.” This definition emphasizes that anonymized data must be stripped of any identifiable information, making it impossible to derive insights on a discreet individual, even by the party that is responsible for the anonymization. The ICO has written that: “If you make the data anonymous so that it is never possible to identify individuals (even when combined with other information which is available to receiver), it is not personal data. This means that the restrictions do not apply and you are free to transfer the anonymised data outside the EEA.”
Cross-Border Data Transfers: The quote from the ICO above highlights a second important use case, which is the cross border transfer of data. Data localisation laws are becoming quite common in countries such as Germany, Switzerland, Poland, Argentina, and Taiwan to name a few. The rules for cross-border data transfers clearly indicate that any form of data protection based upon mathematical formulas is not permitted. Anonymisation, when there is no ability to the identity the individual, is an effective method for cross border data transfers.
Internal IT testing/External sandbox IT testing: One of the most difficult challenges when testing new IT releases is to have a copy of production data in the user acceptance testing (UAT) environment.By anonymizing the sensitive attributes, release testing can be cheaper, faster and more reliable. Similarly, when attempting to use a FinTech (or an industry sandbox) for external testing, very few banks will provide real production data. By using distributed pseudonymization, specific attributes can be protected. When combining this with the ability to anonymise the data when it needs to be revoked, banks can quickly and easily test with FinTechs, even ones that are software as a service on the cloud.
In conclusion, while both anonymisation and encryption are important, there are clear differences between the two. These differences are clearly visible when it comes to items such as GDPR, cross border transfers of data and testing with FinTechs, which all require anonymisation. Sometimes, mathematics is just not enough and you need to rely on the power of random.