LONDON, March 25, 2020 /PRNewswire/ — Over 700 senior privacy and data innovation professionals from around the world recently joined a webinar hosted by the Data Protection World Forum, discussing Pseudonymisation-enabled Legitimate Interests processing with a focus on new legal requirements for direct marketing under GDPR.
The webinar was led by Dr. Sachiko Scheuing, European Privacy Officer at Acxiom, Martin Abrams, Chief Strategist at the Information Accountability Foundation (IAF), and Gary LaFever, CEO & General Counsel at Anonos.
Dr. Sachiko Scheuing said: “Organisations can no longer rely on consent, contract or anonymisation alone to make direct marketing lawful.”
Martin Abrams commented: “People do not believe that there is a solution that supports the Legitimate Interests processing that is required for lawful direct marketing, but Pseudonymisation (as newly defined under the GDPR) can protect data when in use to enable this.”
Gary LaFever added: “Organisations cannot rely on what they have done up to today to benefit from what Pseudonymisation makes possible under GDPR, they can go to www.enisaguidelines.com/comparison to compare their current approach against new requirements for Pseudonymisation under the GDPR.”
The webinar panelists highlighted that if organisations cannot answer “YES” to all four of the following questions, they must stop personalised direct marketing per proposed guidance issued by the UK Information Commissioner’s Office (ICO):
- Does your organisation use technology that demonstrably and verifiably enforces policies that protect data when in use?
Example: Do you have technical controls that transform data while enforcing privacy protection policies for data in use? Encryption only protects data at rest and in transit, not in use.
- Does your organisation use dynamically changing de-identifiers? (see www.MosaicEffect.com)
Example: Relinking to identity should only be possible with the use of separately-kept “Additional Information.” Static tokens that are consistent across data are vulnerable to re-identification via linkage attacks, referred to as the Mosaic Effect. This means that you need to use dynamically-changing identifiers instead.
- Does your organisation’s technology satisfy new statutory requirements to get the benefits of Pseudonymisation? (see www.Pseudonymisation.com)
Example: Relinking to identity should only be possible with the use of separately-kept “Additional Information.” Use of static tokens and a failure to protect indirect identifiers could result in unauthorised relinking to identity, increasing the possibility of unlawful processing of personal data.
- Does your organisation’s Pseudonymisation technology satisfy new EU technical standards? (see www.EnisaGuidelines.com)
Example: Not using state-of-the-art techniques for pseudonym generation and supplementing pseudonymisation with anonymisation techniques results in data being vulnerable to unauthorized re-identification.
However, organisations who can answer “YES” to all four of these questions are well-positioned to maximise data value and utility to their competitive advantage by leveraging Pseudonymisation-enabled Legitimate Interests processing.
Key Take-Aways from Webinar
- SOS Alert: Direct marketing to customers and innovative data uses could be at risk.
- The webinar presentations and questions emphasized that consent, contract and anonymisation are no longer reliable for legally processing personal data..
- You must consider Legitimate Interests as a legal basis for processing. This requires new technical controls that protect data when in use to meet the balancing of interests test required under GDPR.
- No one wants to be left behind: immediate action is required.
Don’t get left behind:
Hyperlinks from Webinar:
About Anonos: Anonos enables lawful analytics, AI and ML in a way that preserves 100% of data accuracy while expanding opportunities to ethically share and combine data. Anonos Pseudonymisation and Data Protection by Design & by Default technology reconciles conflicts between protecting the rights of individuals and achieving business and societal objectives. As a result, you can use, share, combine and relink data in a lawful manner. Anonos-patented Variant Twins® enable sharing, collaboration, and analytics of personal data by technologically enforcing dynamic, fine-grained privacy, security and data protection policies in compliance with the GDPR, CCPA and other evolving data privacy regulations. https://www.anonos.com
MEDIA CONTACTS
Liberty Communications on behalf of Anonos
anonos@libertycomms.com +44 207 751 4444