The secondary impact of GDPR
In this blog, we explain how the GDPR legislation requires organisations to get a better grip on the pseudonymisation or masking of data that includes personal identifiers. Northdoor offers proven solutions for accelerating, simplifying and removing cost from data masking processes.
The advent of the EU General Data Protection Regulation – in force from 25th May 2018 – has brought data protection and governance into sharp focus. For organisations both private and public that deal with consumer data, the GDPR demands much more rigorous oversight than previous legislation. Given the enormous (up to 20 million EUR or 4% of global turnover!) financial penalties for non-compliance, any organisations that are not fully aware of the regulation and its impact need to get up to speed quickly.
One area that may be causing a few headaches is the so-called secondary use of data, whereby data authorised for one type of usage (either through a standard GDPR mechanism or via explicit user consent) is later used for a second purpose to which the user has not consented. As part of data governance best practices, most organisations will be placing restrictions on the re-use of data to avoid falling foul of the new regulation.
However, simply banning secondary use will potentially stop a number of standard business processes in their tracks. Where data is required to test systems or to generate statistics, a far better option is to continue to provide that data – but in a pseudonymised or masked format.
By editing data sets so that individual elements of data can no longer be traced back to a specific person (except by the person in control of the masking process, naturally) organisations can maintain existing processes while respecting the requirements of the GDPR.
Scaling up to the challenge
That’s easy in theory, but somewhat harder in practice when you’re potentially dealing with hundreds or thousands of sources of data across numerous processes, departments and external partners. Happily, Northdoor has deep experience in deploying automated solutions for discovering, categorising, and irreversibly masking data. (“Irreversibly” only from the perspective of any untrusted parties. Masked reference codes remain within the original organisation and are linked to the source data, enabling authorised staff to trace masked data back to the original record as required).
For more information, read our latest article: Data Masking and GDPR