Data Privacy and Protection Series – Data Anonymization: Turning Privacy and Protection into a Core Business Competency
Part 6 of a 6-Part Series
As much as people talk about data being “the new oil,” I think it’s more like “the new uranium.” It is equal parts toxic liability and super-powerful asset fuel – coming together to energize real-time insights and accurate predictions.
Like a uranium mine, companies face a growing landscape of strict regulations that broaden business responsibilities for data privacy and protection. According to Jules Polonetsky, CEO of the Future of Privacy Forum, this is only the beginning.
“It’s not a compliance function to map your data, categorize it, make decisions about smart access and deletion, and manage cookies. These are now core business engineering functions,” says Polonetsky. “If you want to scale it, stop chasing regulations such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). Everything will continue changing.”
The regulatory landscape continues to evolve to keep data better protected. However, businesses are often uncertain of innovating new ways to extract information and apply it, while remaining compliant.
Why data anonymization is the answer
Fortunately, the Austrian Data Protection Authority (DPA) made a decision that could help release this pent-up demand for intelligence. It ruled that anonymization is a compliant way to fulfill the right of erasure and the right to be forgotten, as mandated by GDPR. This same line of thinking holds for all countries within the GDPR’s jurisdiction and was also published by authorities in Germany. And many countries outside Europe – such as Brazil and Korea – are also taking the same position as they consider the parameters of data anonymization within the scope of existing data privacy and protection laws.
Data anonymization allows organizations to use personal and sensitive data no longer subject to privacy regulations, while demonstrating accountability in protecting individuals’ privacy rights. Decision-makers can draw insights from data sets stripped of identifying information (such as a name or social security number) that is not legally available for analysis.
When used for analytics, machine learning, or process automation, anonymizing data in real time helps ensure that decision-makers work with the latest data while never duplicating it or exposing it to unauthorized eyes. Meanwhile, the business can demonstrate faithful compliance with strict data privacy and protection regulations, which is a compelling reason for customers, partners,
and employees to provide their sensitive and confidential data.
Where choosing anonymization over pseudonymization matters
A common mistake about data anonymization is not knowing how it differs from data pseudonymization. Considering the vast array of technologies designed to mask data and user interfaces, it’s no wonder this topic is confusing. But understanding these distinctions couldn’t be more important.
Abstractly speaking, data pseudonymization is replacing a name or unique identifier attached to a piece of data with an unrelated name or identifier. Suppose a patient, “Jane Smith,” gave her healthcare provider data such as her age, daily activities, eating habits, and health records. If data pseudonymization practices were applied, the data manager would swap out “Jane Smith” with, for example, “Minnie Mouse” in the data source.
When authorized users accessed this information, they might not know who gave those personal details. However, more personal identifying information may still be present – which does not fulfill the current definition of anonymization. Instead, data such as a birth date, office location, blood type, and weight can become clues that, when pieced together, can help identify the original owner of the data set. For that reason, businesses must still comply with data privacy protection regulations.
Anonymization, on the other hand, helps ensure individuals are no longer identifiable by changing a combination of the aforementioned identifiers more substantially – to the point where the data is not unique anymore. The upside of this exercise is that the anonymized data is not subject to privacy regulations.
How the right technology helps ensure proper accountability
The technology must support data privacy and protection matters, especially when anonymizing data.
Consider an energy company that collects meter readings hourly from every customer it serves. This information is not only critical for generating invoices monthly, but also determining where outages may soon occur, potential system overload, and changing energy demand. Call center agents must access specific data that indicates identity to help customers who contact them or request field technicians to address a problem in a particular area.
In some ways, data anonymization may seem too restrictive for this scenario. However, data pseudonymization does not protect the privacy of the customer. Suppose the energy company adopted an intelligent and privacy-centric data platform. In that case, it could find all data points, understand the purpose of each, and invoke the right level of anonymization and/or pseudonymization.
By putting a different lens on the system landscape, you can classify each data type as personal, confidential, or public and determine whether it should be masked or anonymized. Now that each piece of data is categorized appropriately, call center agents only have access to minimal, but useful, information – for example, the last four digits of a credit card number – while all remaining data remains secure.
With the right data anonymized, businesses innovate confidently
It’s undeniable that customers expect their data to remain private and secure and want their experiences personalized. Yet, achieving such a delicate balance can be challenging when a business does not know which data should remain anonymized or identifiable.
But with the proper technology, organizations can identify and classify the right data to anonymize to protect personal and sensitive information without duplicating it, while ensuring every customer experience is engaging. Better yet, they can innovate new ways to use data-driven insights to move ahead – and stay ahead – of the competition.
Want to know how SAP can help? Learn about SAP Solution Extensions from BigID and SAP HANA Data Anonymization.
Did you miss any of the blogs in our Data Privacy and Protection series? Read about the following topics we’ve covered so far: