c,nonos·
ii
BigPrivac Unlocks Data
New Requirements for Legal Analytics &
Artificial Intelligence Under the GDPR
Summary
The way your organization has processed data for years – even for decades – may create new legal liability under
the EU General Data Protection Regulation (GDPR). Organizations looking to maximize the value of data by
leveraging advanced data analytics and artificial intelligence (“Analytics & Artificial Intelligence (AI)”) should be
aware of 3 points:
1. Illegal Analytics & Artificial Intelligence (AI) – without a new legal basis to ensure lawful rights to process
personal data (which is no longer possible under the GDPR using consent if the processing cannot be
described with specificity in advance), using that data for Analytics & Artificial Intelligence (AI) may produce
unlawful results that expose organizations, their partners and customers to unexpected legal liability.
2. Pseudonymisation – while this word may be difficult to pronounce and spell, organizations must embrace and
implement Pseudonymisation as defined under the GDPR across their enterprise to legally process Analytics &
Artificial Intelligence (AI).
1
3. Dynamism – new GDPR requirements for technically enforced “dynamism” overcome shortcomings of “static”
data protection techniques that fail to adequately protect data subject rights when data is combined from
multiple sources or used for various purposes. Examples under the GDPR include dynamic Pseudonymisation
to defeat the Mosaic Effect and dynamic fine-grained, use-case specific controls to satisfy requirements for
Data Protection by Design and by Default.
New Requirements for Legal
Analytics & Artificial Intelligence
Under the GDPR
CONSENT:
LEGITIMATE INTERESTS:
Data Use Not Described
with Specificity
Balancing Interests Using
Pseudonymisation
Companies PROHIBITED
Companies PERMITTED
from doing:
todo:
Data Analytics ,/1.J )
(A�
Artificial Intelligence
1
The word “Pseudonymisation” is pronounced Soo-don-uh-mah-zay-shuhn and is generally spelled with an “s” (Pseudonymisation) in European countries
and with a “z” (Pseudonymization) in the U.S. Under the GDPR, Pseudonymisation is defined as “the processing of personal data in such a manner that
the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information
is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable
natural person.”
© 2018 Anonos Inc.
GDPR Impact on Analytics & AI Across the Globe
The GDPR is the new State of the Art for international data protection regulation with far-reaching impact on all
organizations conducting business on a global scale.
In today’s data-driven economy, global organizations increasingly rely on Analytics & Artificial Intelligence (AI) to
help achieve corporate growth, revenue and performance objectives. Historically, such organizations often relied on
the consent (or agreement) of data subjects to long, legalistic take-it-or-leave-it contracts, “click-through”
agreements and Terms of Service (“ToS”) to secure legal rights to perform Analytics & Artificial Intelligence (AI)
processing on personal data they collected. Under the GDPR, data subjects can no longer legally consent (or
agree) to data use that cannot be specifically and unambiguously explained at the time of consent. These
GDPR requirements are impossible to satisfy for Analytics & Artificial Intelligence (AI) applications where
successive analysis, correlations, and computations cannot be described with required specificity and
unambiguity at the time of consent.
The GDPR has no “grandfather provision” or “exemptions” allowing for continued use of historical data collected
before the effective date of the GDPR using now legally non-compliant consent. Also, consent cannot be a
2
condition for receiving a product or service – a data subject must have a genuine choice, or their consent is not
freely given. If consent is not obtained in full compliance with GDPR requirements, DPAs have officially stated that
“consent will be an invalid basis for processing, rendering the processing activity unlawful.”
In addition to well-publicized fines and enforcement actions available to EU member state data protection
authorities (DPAs), and the creation of new forms of liability under EU law,
3
global organizations should also be
aware of the interests of other stakeholder groups in connection with their compliance with the GDPR. A high-level
overview of some of the perspectives of these different stakeholder groups follows:
1. External Auditors; External auditors retained by organizations to conduct financial audits have an obligation to
ensure that issued reports accurately represent the economic viability of the organizations. Given the adverse
impact on business continuity of potential lost access to data and the magnitude of potential liability, if such
auditing firms do not adequately describe the GDPR preparedness of a client in an audit, they may be liable for
failing to sufficiently audit financial statements.
2. Industry Regulators: Industry regulators (e.g., banking, insurance, telecommunications, healthcare, etc.) are
expected to require companies under their jurisdiction to confirm that they are not at risk of liability under the
GDPR given the magnitude of potential financial exposure. For organizations depending on Analytics & Artificial
Intelligence (AI) to help achieve corporate growth, revenue and performance objectives, use dynamic
Pseudonymisation is required to confirm compliance.
3. Boards of Directors: There is a global trend toward directors being held personally liable for wrongdoings
resulting from legislative changes and increased enforcement activity. An article notes, “The risk here is also
4
exacerbated by the fact that the GDPR will impose much more stringent burdens on companies that process
European Economic Area (EEA) citizens’ data from May 2018. If significant penalties are imposed on
companies under the GDPR – like the maximum penalties of 4% of an organization’s worldwide turnover –
shareholders, regulators and others may look to the board to ascertain what went wrong.”
5
2
The GDPR is applicable to the processing of all “personal data” (information related to an individual data subject who can be directly identified using the
data or indirectly identified by combining the data with other information) of any natural person located in the European Union (EU) or in the European
Economic Area (EEA) at the time when processing occurs regardless of where a data controller or data processor is located if the processing relates (a)
to the offering of goods or services (even if they are free) to a data subject located in the EU/EEA or (b) where the behavior of a data subject located in
the EU/EEA is being monitored.
3
See pg. 3 at http://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51030
4
Under the GDPR, member state data protection authorities (DPAs) have the power to: (a) impose fines of up to the greater of 20 million Euros or 4% of
consolidated corporate global gross revenues for violating the GDPR and; (b) issue orders to stop or suspend data processing and data flows. Also, for
the first time under EU law, the GDPR authorizes: (a) quasi-class-action lawsuits by representatives of individual data subjects (e.g., EU nongovernmental
organizations
and
advocacy
groups);
(b)
recovery
for
non-monetary
losses
like
damage
to
reputation,
emotional
distress,
pain
and
suffering,
and
other
injuries
generally
not
recoverable
under
other
jurisdictions’
laws
(e.g.,
in
the
US)
for
data
protection,
privacy
or
security
claims;
and
(c)
effective
joint
and
several
legal
obligations
among
data
controllers
and
processors
up
and
down
the
data
service
“stack.”
5
See Risks Facing Directors & Officers at https://www.financierworldwide.com/roundtable-risks-facing-directors-officers-aug17/#.WwLxaVMvyuU
2
How Businesses Can Deal with Analytics & AI Under the GDPR
Before the GDPR, the primary burden of risk for inadequate data protection was born principally by data subjects,
due to limited recourse against data controllers that collected and stored their data and lack of liability for data
processors. However, this burden of risk is shifted by new obligations under the GDPR requiring data controllers
and processors to protect the rights of individual data subjects. Given this change in circumstances, how do global
organizations reconcile the growing importance of Analytics & Artificial Intelligence (AI) with the increasing
complexity of lawful data use? The GDPR provides an answer in new requirements for technical and organizational
safeguards that better protect personal data.
To lawfully process Analytics & Artificial Intelligence (AI) applications, and to legally use historical data collected
using now legally non-compliant consent, new technical and organizational measures that help support alternate
(non-consent) GDPR-compliant legal bases are required. Organizations must demonstrate that they have new
technical and organizational safeguards to lawfully collect, use and store data for Analytics & Artificial Intelligence
(AI) processing. Pseudonymisation and Data Protection by Design and by Default are newly defined technical and
organizational safeguards under the GDPR that help enable fine-grained, risk-managed, dynamic use case-specific
controls to reallocate risk for inadequate data protection from data subjects to corporate data controllers and
processors.
GDPR Compliance Does Not Ensure Legal Analytics & Artificial Intelligence (AI)
Just because an organization is GDPR compliant does not mean that it can legally process Analytics & Artificial
Intelligence (AI). Data protection technologies developed prior to the GDPR were not designed to support Analytics
& Artificial Intelligence (AI) in a GDPR compliant manner. They are mainly intended to limit or prevent situations
that expose an organization to potential penalty, liability, and third-party claims.
Traditional data protection technologies do not address the loss of consent as a viable legal basis for desired
Analytics & Artificial Intelligence (AI) processing, they also create the perception that Analytics & Artificial
Intelligence (AI) must be deleted and that lawful Analytics & Artificial Intelligence (AI) processing is no longer
possible.
To maximize data value, new technical and organizational measures like GDPR compliant dynamic
Pseudonymisation and Data Protection by Design and by Default are necessary to safeguard the privacy rights of
data subjects in situations where consent is impractical, unavailable or unattainable.
Shortcomings of Traditional Security-Only Solutions
A conventional approach to improving data protection is to prescribe security upgrades. The problem with relying
on this strategy by itself is two-fold. First, security solutions limit access to data by enforcing generalized access/no
access controls to entire datasets, preventing people without permission from accessing any data, or granting
access, to all of the data. Security-only solutions do not support fine-grained, risk-managed, use case-specific
controls over what people can do with data once they receive access. Second, security technologies such as
encryption, hashing, static or stateless tokenization, data masking, and related approaches, help to protect against
unauthorized identification of data subjects using data that directly reveals the identity of a data subject, but do
nothing to protect against unauthorized re-identification of data subjects by correlating data attributes to reveal
identity via “linkage attacks” sometimes referred to as the “Mosaic Effect.”
Shortcomings of Traditional Privacy-Only Solutions
Before the GDPR, privacy was protected primarily using written contracts, “click-through” agreements and Terms of
Service (“ToS”) that set forth what organizations would be authorized to do, or not do, with data. However, for
nontechnical, non-preventive, policy-based measures to remain effective, controllers require resources and access
to monitor compliance by all counterparties to contractual commitments. Such monitoring is typically unavailable or
impractical to implement. Policy and contract-based measures also place the risk from inadequate data protection
on data subjects, due to limited recourse against data controllers and data processors for privacy violations.
Traditional, pre-GDPR technologies developed to safeguard privacy rights either work on a binary access/no
access basis (e.g., data masking) or on an aggregated basis to support generalized statistics.
3
In today’s changing regulatory landscape, these technologies fail to comply with new GDPR standards for modern
digital processing or they cannot support business needs for increased access to personal data without the
availability of consent. For example, combining and analyzing multiple data sets and incorporating unstructured
data – processing which is at the core of the new digital economy – cause traditional privacy technologies to break
down and prevent them from supporting GDPR compliant Analytics & Artificial Intelligence (AI) processing.
Traditional approaches to data protection employ outdated static approaches to pseudonymisation. As a result,
supposedly pseudonymised data can be readily traced back to a data subject because the persistent or static
pseudonymous tokens used for a given data element do not change. Searching for a random, pseudonymised
string which repeats itself within or across databases can provide a malicious actor or interloper with enough
information to unmask the identity of a data subject.
Consider the following simple example. A database contains a zip code value of “20500,” so a static (or persistent)
pseudonymous token of “6%3a8” is used to replace every occurrence where zip code 20500 is found. Due to
advances in technology and threat-actor sophistication, such static pseudonyms can be readily linked back to
individuals via the Mosaic Effect without requiring any access to additional information to reveal that pseudonym’s
value. An example of the Mosaic Effect is where three seemingly “anonymous” data sets that use persistent (static)
pseudonyms – each composed of the zip code, age and gender of US citizens – were combined to identify up to
87% of the population of the United States by name.
How to Legally Process Analytics and AI Under the GDPR
To achieve a sustainable competitive advantage and drive real value and revenue growth in today’s increasingly
regulated information economy, organizations must be on the forefront of maximizing the value of data by
leveraging Analytics & Artificial Intelligence (AI); yet, at the same time, they must comply with new, more stringent
requirements under the GDPR and similar evolving data protection regulations. Anonos
6
technology
uniquely harmonizes two objectives which have previously been in opposition: it delivers data value through data
use, sharing and combination while simultaneously enabling GDPR-compliant data protection for Analytics &
Artificial Intelligence (AI).
®
BigPrivacy
®
6
See http://dataprivacylab.org/projects/identifiability/paper1.pdf
4