Speaker 1: Hey everyone, so we've been hearing more and more in the news about how EU regulators continue to unleash massive fines on tech giants such as Google and Facebook for violations of the GDPR. So I thought we'd switch it up and discuss ways organizations can avoid making those unwanted headlines. But first, let's quickly review how organizations find themselves subject to the GDPR. The GDPR's requirements apply to anyone processing the personal data of individuals located within the EU. Personal data includes any information about identified or identifiable persons. An identifiable person is a person that can be identified directly or indirectly by reference to an identifier such as a name, identification number, location data, or online identifiers. To process personal data, the GDPR requires organizations to embed appropriate technical and organizational measures, which include data protection safeguards such as anonymization and pseudonymization. So what is anonymization? Recital 26 in the GDPR defines anonymized data as personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. Personal data that is anonymized is exempt from the requirements of the GDPR due to the fact that the data no longer identifies the individual and thus eliminates any risk to their rights and freedoms. Let's take an example of anonymization. A private university wants to learn how many of its former students transferred to a new university, and if so, which university. For this purpose, the university collects the data of all its students who transferred during the last 10 years by emailing them and requesting that they participate in an online survey. To anonymize the data, the survey does not include questions concerning name, email address, date of birth, or the year in which they graduated. Also, it does not record the IP addresses of the individual participants. Furthermore, in order to avoid the identification of former students who transferred to, let's say, uncommon schools, the organization will group those in a group labeled Other Schools in order to avoid collecting information that would allow singling out individuals. By minimizing the amount of data collected to what was absolutely necessary in order to carry out its survey, the likelihood of re-identification becomes extremely small. Thus, the anonymization is successful and the GDPR does not apply. However, it's important to note that the process of anonymizing data constitutes further processing. Under GDPR, this means that the organization's purpose for processing anonymous data must be compatible with the original purpose of processing, unless the organization has a separate lawful basis to process the anonymous personal data for an incompatible purpose. Also, because the standard of anonymizing data is so high, organizations may consider imposing contractual terms on the party receiving the anonymized data to reduce the risk of re-identification. For example, by either restricting the use of the data or imposing security measures to help prevent re-identification. Under GDPR, an organization may also implement the safeguard technique of pseudonymization. The GDPR defines pseudonymization as the processing of personal data where the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that the organization keeps the additional information separate and secure, and uses technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Pseudonymization reduces the linkability of data to its data subjects by separating the data from direct identifiers. However, it does not prevent re-identification, which is the key difference between it and anonymization. Let's take a look at how pseudonymization may play out in practice. Consider, for example, an organization comprises of Entity A and Entity B. Entity A collects the personal data of its users regarding the list of products it sells, while Entity B receives the collected data for profiling, specifically to determine the purchase behaviors. But before the user's personal data is provided to Entity B, it is pseudonymized by removing personal user information, like their names and addresses, and it replaces it with reference numbers. These reference numbers are stored separately with the organization's data protection officer, who safeguards the data and does not disclose it to Entity B. As a result, Entity B cannot link the data to its respective customers, thus making the personal data pseudonymized. Despite not having any personal data, Entity B analyzes the pseudonymized data and learns that its products, numbers 5 and 6, tend to be purchased together. This is valuable information to Entity B. It may now decide to market these products in a bundle or recommend one when a shopper has placed the other in their shopping cart. This example highlights how businesses can gain helpful insights into marketing their products and at the same time protect the rights and freedoms of their customers' personal data. As organizations continue to implement state-of-the-art technologies such as artificial intelligence, which tend to collect and analyze the maximum amount of data as possible, they will need to embed safeguard measures like anonymization and pseudonymization in order to demonstrate compliance with the GDPR. And as we have seen, these methods can reduce the risk of re-identification and also preserve the value of data assets. As always, if you have any questions or ideas for videos that you would find helpful, feel free to leave comments in the box below. And to learn more about GDPR and how our team at DPO Advisor can help you, visit our website at dpoadvisor.com and reach out to our team today.