Overview
Read this article from a comprehensive knowledge base, updated and supplemented with articles reviewed by scientific committees.
Read the articleAUTHOR
-
Louis-Philippe SONDECK: Data anonymization consultant, Doctorate in Computer Science from Pierre et Marie Curie University - Independent consultant, Bagneux, France.
INTRODUCTION
The new Data Protection Regulation (RGPD) brings profound and unprecedented changes to the way organizations manage data. There is virtually no comparable piece of legislation, both in terms of scope and penalties. The RGPD concerns all forms of organization (large or small companies, public or private, associations...), wherever they may be in the world, as long as they process personal data of European residents. Penalties for non-compliance can range up to €20 million or 4% of the worldwide turnover of the company concerned (whichever is higher).
Beyond the financial penalties, the RGPD presents other considerable stakes as it very precisely frames personal data, known to be the oil of our era. It's obviously hard to deny the central place that data occupies in value creation; this, both for the development of new services, and for the improvement of existing ones. The RGPD thus applies to all processing of personal data (collection, recording, organization, storage...), and can, in certain cases, prohibit their implementation, and even impose the deletion of collected data. For example, one of the principles of the RGPD is the retention period limitation, which prohibits the retention of data beyond a certain duration; they will then have to be deleted or archived with restricted access.
In order to avoid the constraints of the RGPD without depriving oneself of the benefits of data, the only alternative provided by the regulation is data anonymization. Indeed, for the RGPD, anonymized data is equivalent to deleted data, and the principles of the RGPD no longer apply. This is because anonymization transforms personal data into data that is no longer personal.
However, implementing anonymization requires special precautions, due to the significant risks involved. Unfortunately, anonymization is still the subject of a great deal of confusion and preconceived ideas on the part of many data stakeholders. Among the most notable confusions are the use of pseudonymization (e.g., "data masking") in place of anonymization, and confusion between anonymization and encryption. Indeed, history records numerous cases of poor anonymization, using pseudonymized data instead of anonymous data, which led to serious breaches of privacy. Examples include the pseudonymized data of New York cabs, which made it possible to identify strip bar customers; or the case of health data published by an insurance agency in the USA, which in 1997 made it possible to re-identify the governor of the state of Massachussetts, by tracking down the illness from which he was suffering. These risks led the G29 (Group of European Data Protection Authorities) to publish an opinion on anonymization techniques in 2014
Exclusive to subscribers. 97% yet to be discovered!
You do not have access to this resource.
Click here to request your free trial access!
Already subscribed? Log in!
The Ultimate Scientific and Technical Reference
This article is included in
Security of information systems
This offer includes:
Knowledge Base
Updated and enriched with articles validated by our scientific committees
Services
A set of exclusive tools to complement the resources
Practical Path
Operational and didactic, to guarantee the acquisition of transversal skills
Doc & Quiz
Interactive articles with quizzes, for constructive reading
Data anonymization, a necessity in the RGPD era
Bibliography
Standards and norms
- ISO Technologie de l'information : technique de sécurité - ISO/IEC 29100 - 2011
Regulations
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJEU L 119/1 of 4 May 2013, http://eur-lex.europa.eu/legal-content/FR/TXT/PDF/?uri=CELEX:32016R0679&from=FR...
Exclusive to subscribers. 97% yet to be discovered!
You do not have access to this resource.
Click here to request your free trial access!
Already subscribed? Log in!
The Ultimate Scientific and Technical Reference