Once you’ve identified what sensitive information your organization has, you can take measures to address it. In this final article of our series, we’ll introduce you to some ways to mitigate risk in order to protect customer privacy. If necessary, read our previous sections first.
Read Part 1: AVG on customer privacy >
Read Part 2: Identifying traceable data >
Risks due to data processing
During the processing of personal data, potential risks to data subjects must be identified. Appropriate measures help prevent or reduce risks. A data subject in this context means a person about whom data is collected and processed.
The table below provides an example for the nature and extent of potential risks to stakeholders:
The occurrence of the listed risks can lead to considerable consequences, such as reputational damage, enforcement by regulators or recovery of damages.
Risk mitigation measures to protect privacy
So what practical solutions are available to protect your client’s privacy while also considering the interests of a data controller (such as a data analyst)? For example, for a data analyst, there are several methods available that allow processing of data while maintaining privacy. In this article, we specifically mention:
- Generalizing
- Pseudonymizing
- Anonymize
Generalizing assures you that combinations of (indirect) personal data are not identifying. Letters in the zip code can be omitted. Or, only the month or year of birth are included in the edit instead of the full date. Original data remain (partially) visible, which makes generalization different from pseudonymization.
Pseudonymization is a procedure that replaces identifying data with an algorithm. Available algorithms can always calculate the same pseudonym for a person, allowing information coming from different sources to be combined. Thus, pseudonymization differs from anonymization. With anonymization, linking information from different sources by person is no longer possible. With (reversible) pseudonymization, there is therefore the possibility of tracing data back to an individual. By the way, reversal is subject to very strict technical and organizational requirements. Permission from multiple parties is also required.
Anonymization is irreversible. After applying this, data are no longer traceable to individuals. Anonymization is used when personal data are no longer needed for the original purpose for which they were collected (e.g., communication). However, analysis is possible, for example in the context of research. Examples of anonymization include assigning an arbitrary new ID, removing columns, or aggregating columns.
- Randomly assign new ID
Each record is assigned a random new ID, this can be as simple as a row number. Potentially identifying data are removed from the table. - Removing columns
This method simply removes columns of potentially identifying data from the table. - Aggregate
The data is aggregated by day or by month, so the data is lost at the individual level. Consider, for example, a count of the number of new customers per day.
Need advice?
Do you need advice on applying risk avoidance measures? If so, please contact us. We help evaluate the risks and apply functional and/or technical measures where necessary, supporting your data analysis ambitions. Want to know more? Then also check cmotions.co.uk/data-governance.
Contact
Want to know more about this topic? If so, please contact Michaela Legerstee or Jeroen Groothedde using the contact information below.
Michaela Legerstee, Senior Consultant
+31 6 31 00 52 81
m.legerstee@cmotions.nl
Jeroen Groothedde, Senior Consultant
+31 6 22 88 89 98
j.groothedde@cmotions.nl
Michaela Legerstee
