The General Data Protection Regulation (GDPR) and The California Consumer Privacy Act (CCPA) are in full effect. Organisations that process information about people living the European Union or California – and that’s likely to include anyone reading this article – face heavy fines if they are not compliant. Data anonymization can help.
These regulations significantly limit how businesses collect, share and process personal data.
At the same time, companies continue to need to use data to drive their business forward, including use cases such as:
- Market analysis and insight
- Innovating new products and services
- Delivering a great user experience, both online and through other touch points
- Software development
This means, to remain compliant with the regulations, while getting the most benefit from your data, you have to remove the ‘personal’ element from some of it.
This is where data anonymization comes in. It allows you extract value from your data while also reducing the risk of data breaches and regulatory non-compliance.
No half-measures: pseudonymization is not enough
Make no mistake, there is no substitute for data anonymization when it comes to data protection. Pseudonymization doesn’t go far enough.
It replaces identifying fields within a data record with an artificial identifier or pseudonym. If you can use pseudonymous data, tags or identifiers to work back to the original personal information, it falls under the regulations.
A recent report found that ‘over 99% of Americans could be correctly re-identified from any dataset using 15 demographic attributes, including age, gender and marital status.’
This is because it’s possible to discover personal details from pseudonymized data. While it does improve privacy, it simply reduces the link to personal data. It does not fully remove the connection to the original identity of an individual.
This is why, to be able to use your data fully, you need data anonymization. Anonymized data is not subject to data protection laws as it removes sensitive details while keeping valuable business information. The insights are still there: you don’t need to know the names of all the people visiting your website to track visitor numbers, for example.
Regulators will take into consideration the cooperation and efforts of a business to tackle the problem, but it’s still a very risky place to be. If you haven’t got a data anonymization strategy in place yet, don’t despair, there’s always time to fix it.
What’s the worst that can happen?
Quite a lot, actually. And none of it good.
Failure to have a data anonymization strategy will put your business at risk of hefty fines, tiresome paperwork and damages to your name.
GDPR gives data regulators the power to fine up to €20m (over $22m) or 4 percent of annual turnover, whichever is greater. The CCPA will be able to impose fines of up to $7,500 per record.
An example such a fine involves the Danish taxi service, Taxa 4x35. They are currently facing a $177,000 fine for failing to delete or anonymize its data.
The GDPR voice has undoubtedly made itself loud and clear. As of September 2019, the EU authorities have announced, or at least published their intention to issue, fines adding up to more than €372,000,000 ($411,000,000).
There’s no hiding from these regulations. Cathay Pacific suffered a data breach that led to 9.4 million passengers’ data being compromised. They stopped collecting this type of personal data 13 years before the breach – but never got around to deleting it.
Privacy and security issues get even more severe when outsourced companies or external project team members become involved. There are even greater risks in regulated industries such as banking, insurance, healthcare and telecommunications. Failure to comply will be putting your business at risk of violating licenses and accruing additional costs.
No data anonymization strategy? Act now!
The good news is that creating a barrier to these risks is not as cumbersome as you might think. The sooner you comply with the regulations, the more likely you are to avoid a nasty fine. And implementing a data anonymization strategy ensures that even if a breach were to occur, your business is safe. This is because the leaked data wouldn’t contain any identifying data. All you would lose is access to aggregate metrics.
Managing the data challenges to your business in a strategic way will improve your internal processes, save you money and protect your brand. But don’t go running in blind.
It’s essential to take your business out of the danger zone. Protect yourself and your brand by taking control of your data. Making well-informed technical decisions up front and getting rid of extraneous information will eliminate the risk.
To learn more about the steps you can take to remove danger from data, watch our on-demand webinar: Removing Danger From Data