Is 2020 finally the year of the PETs (Privacy Enhancing Technologies)? has been saved
Is 2020 finally the year of the PETs (Privacy Enhancing Technologies)?
What if we told you that many technologies which enhance personal data protection and enable business value, already exist? They are called Privacy Enhancing Technologies, or PETs. This is the first blog in a series in which we introduce some of them and explain how they can support your organisation’s needs.
Written by Wouter Ernst & Yi Yin | October, 2019
Definition of PETs
Let’s start with: what are PETs? Well, as with many technologies, they have been defined in various ways. A well-known definition is that PETs are “a coherent system of ICT measures which protect privacy by reducing personal data or by preventing undesired personal data processing … without losing the functionality of the information system”. No matter how PETs are defined, they use various technical means in order to protect privacy by providing anonymity, pseudonymity, unlinkability, and unobservability of data subjects.
In this blog we will give a short overview of the various categories of PETs and names of a number of techniques that are new and promising. Links are provided for readers that want to explore a technique in depth, but do remember: we are doing all hard work for you and will be publishing more blogs with easy to understand descriptions of each and every one of them.
Limitation of use
One of the most commonly used privacy protection approaches is to restrict data access to authorized users only based on certain pre-defined policies (e.g. role-based, and key-based access control policies). Increasingly complex data use can make it difficult to limit personal data access solely based on such policies. A PET which can overcome such challenges is Attribute-based access control, which can dynamically grant access rights by applying many different attributes such as role, action or context (e.g. time, device or location). Another way of limiting data use is an E-consent system, which allows data subjects to determine what personal information can be accessed by others. This approach needs the support of a privacy-specific access control language, such as P3P, EPAL, XACML, which allows online service providers to implement machine-readable privacy policies.
While encryption is at least as old as Roman times and incorporated in many technologies these days, modern developments means even more is possible. An up and coming development is Homomorphic encryption. This is a form of encryption that would allow calculations on encrypted data; a very exciting tech that could offer enhanced protection by never showing personal data in plain text.
Anonymization is a very important approach for privacy protection which either encrypts or removes identifiable personal data from datasets. In this way untrusted users can only access the datasets but not “read” the individuals’ identities. Important techniques within this category are Multi Party Computation, Differential privacy, Federated analysis, K-anonymity and anonymizing services like Off‐the‐Record messaging, Private information retrieval and Tor anonymization frameworks.
The General Data Protection Regulation (GDPR) has a very lengthy definition of pseudonymisation, but in essence it means: replacing identifying data with artificial identifiers. From a GDPR perspective, pseudonymous data still leaves some space for re-identification of data subjects and thus remains personal data, while anonymous data cannot be re-identified and would therefore fall outside the scope of personal data. Pseudonymisation methods include the following techniques: Scrambling, Masking, Tokenization and Data blurring.
An array of practical reasons appears to hamper the implementation of PETs. Often mentioned reasons are costs, legacy information systems, complex organizational processes, lack of T-shaped experts, awareness of privacy regulations, etc. However, we’d argue that with a specialized toolbox and a customized adoption plan for implementing the PETs – taking into account the usability of datasets and privacy requirements – many data protection practices can be improved. Moreover, to us it feels that come 2020 this might finally be in reach for a lot of organisations.
This blog is the first in a series of blogs focusing on PETs. The next blogs will deep-dive into the different PETs we listed here, starting with a blog about Multi Party Computation. We wish you happy reading!
If you are interested in Deloitte’s Privacy by Design services, don’t hesitate to contact us. For a wide range of industry sectors we can bring together an experienced team of professionals with technical, organisational and legal expertise that can support you in your privacy and security efforts.