17 / 05 / 2019
The Risky Choice of Using In-House Anonymization
IT PRO PORTAL - ANDRE THOMPSON, PRIVACY AND ETHICS COUNSEL AT TRUATA DISCUSSES, HOW GDPR IMPACTS DATA ANALYTICS WITHIN AN ORGANISATION
As the first anniversary of the application of the GDPR approaches, one hopes that organisations have become aware of their responsibilities as controllers of personal data and the challenges associated with in-house anonymization.
One critical area is the difficulty of carrying out in-house anonymization which supervisory authorities have frequently stated falls short of the high threshold for anonymisation set by the European Data Protection Board.
In large enterprises, where data-driven insights inform business strategy, data controllers will often take on the responsibility for de-identifying their customer data with the aim of using the datasets for analytics unconstrained by the requirements of GDPR and other data protection laws.
The intent to preserve privacy is admirable, however the execution is frequently inadequate and, as such, those organisations may leave themselves exposed to regulatory action, fines and perhaps most crucially, reputational damage leading to a customer base that has lost trust and faith that the company treats them as valued customers, not as products.
The key concept to appreciate is that anonymized data falls outside the scope of “personal data” as defined in the GDPR. So by anonymizing customer datasets organisations can conduct analytics and not be constrained by data protection principles, such as limits on data collection, retention, purpose-based consent, the right to withdraw consent at any time and so on.
Click here to view the full article.
Click here to learn more about the Truata Anonymization Solution and its benefits in terms of GDPR privacy compliance.
André Thompson, Privacy Council
André Thompson is the Privacy and Ethics Counsel at Truata. He is a qualified solicitor with over 20 years’ experience in a commercial legal environment, working in-house, in private practice and consultancy. He has worked in privacy and data protection law since 2001 as the data protection lead in a large Irish multi-national with additional professional experience in intellectual property and information technology law.