THE European Union is home to 512m people. From May 25th firms wishing to handle data that pertain to any of those people will have to comply with a new set of privacy rules called the General Data Protection Regulation (GDPR). The introduction of the GDPR is the biggest change to privacy legislation in the EU for 20 years. In particular, the new rules are strict about the purposes for which data may be used. If a bank collects names and addresses in order to process payments, or a hospital records laboratory-test results in order to treat patients, those organisations are prohibited from putting the data in question to any other use.
The GDPR does, though, come with an escape hatch—pseudonymisation. This means replacing identifying information such as names, dates of birth and addresses with data that look the same but do not reveal details about a real person. That is useful when the statistical content of a data set is required (say the proportion of women in a particular industry) but not the details of any particular person. A number of firms now offer software that helps the pseudonymisation of large data sets, so that such operations will not fall foul of the GDPR.
Banks are particularly interested. Modern payment systems involve complex, multiple, interlinked data sets, and the development of new software to handle these requires tests on data identical in form to those of the live data on which the software will eventually operate. Using real customer data for such development work would, however, be a breach of the GDPR as they were gathered in order to send and receive payments, not to build more software.
Rabobank, a Dutch firm, has thus spent the past year pseudonymising payment data it has collected using software called the High Assurance Desensitisation Engine, which was developed by IBM’s cryptography laboratory in Zurich. This has transformed its databases so that names, account numbers and dates of birth retain their form but lose the identifying information they contained.
The software does this by assigning a long random number, known as a key, to each data field, such as “name” or “account number”, that is to be pseudonymised. It then performs a mathematical operation on every piece of data in each of those fields in the database (all the names, all the account numbers, and so on) that combines each one of them with the relevant field key. A piece of data so pseudonymised is replaced by a string of letters and numbers known as a hash.
That done, Rabobank then uses another piece of IBM software to examine how the structure of the data varies across each field in the original data set, searching for rules that govern the format of names, account numbers and so on. Once the software has learned those rules, it can then transform a hash into a pseudonym that looks like the original data, and more importantly behaves similarly when run through the bank’s own software.
The result is a new set of data that contains no personal information, but retains the format and statistics of the original. The only way that each field in the new data set can be returned to its old state is by applying the key used to generate the hash. In Rabobank’s case, these keys are held by the accounts teams. The development teams working on the pseudonymous data never see them.
Firms other than banks are also adopting this kind of privacy technology. Since late 2016, for instance, Apple has used a technique called differential privacy to gather data about iPhone use while minimising the personal data sucked up in the process. Google has adopted a similar method to collect data from smartphone-keyboard software. Uber uses the approach to let its analysts study driving data without breaching drivers’ privacy.
IBM has also provided its pseudonymisation technology to Truata, a new firm based in Dublin that it set up earlier this year in partnership with MasterCard, a multinational financial-services company. Truata acts as a legal trust through which third parties can pass data for analysis to confirm that they are GDPR-compliant. As a trust, Truata is legally bound to operate according to its constitutional document. This document states that the firm will hold assets (data, in this instance, not monies) in accordance with the principles of the GDPR. That provides customers with an extra level of protection.
Pseudonymisation, then, promises to help companies process data in ways that comply with the GDPR. It may even liberate the more scrupulous to make money from their data sets in new ways, freed from privacy limitations which had previously kept those data locked away.