An introduction to Privacy-enhancing technologies (PETs)
Maximising data value while preserving privacy
06 July 2021
Gartner's influential global 'Top 10 Strategic Technology Trends' lists privacy-enhancing technologies (PETs) as a key trend for 2021. But, what are PETs and how are businesses using these technologies?
The term 'PETs’ typically refers to technologies that help mitigate privacy risk. As the use and analysis of data is increasing rapidly, many businesses, particularly in the healthcare and financial services sectors, are turning to PETs offered by companies such as Privitar to realise the value in the analysis of large (often sensitive) data sets, while also ensuring compliance with privacy laws and ethical data principles.
How do PETs work?
PETs use a broad range of techniques to protect the confidentiality and privacy of personal or sensitive information, while ensuring the data remains in a format that can still be used for analytics, machine learning etc. Many PETs can be integrated into cloud environments, such as AWS and Microsoft Azure. Techniques may include:
Encryption – certain PETs allow for the processing of encrypted data, without revealing the raw data itself. This means that the value of the data can be realised by business teams even when they do not have access to the raw (often sensitive) data.
Tokenisation – de-identifying data by replacing values, such as customer names or sensitive data, with randomly generated tokens or pseudonyms.
Generalisation – replacing specific data with less precise values. For example, reducing a date of birth to the year of birth.
Watermarks – applying visible/invisible watermarks so protected data can easily be tracked.
How can PETs help with data protection compliance?
- Some techniques allow for true anonymisation, to take data outside of data protection regimes.
- Where true anonymisation is not possible or suitable, PETs can help apply controls to data and the surrounding IT environment to achieve an acceptable level of privacy risk that may allow processing on the legal basis of legitimate interests.
- PETs, together with organisational measures, can create an environment that meets the legal and regulatory requirements for international data transfers.
- The GDPR requires businesses to implement data protection by design and default. PETs allow businesses to directly embed technical measures into the design of their systems.
- By minimising personal data use and retention and maximising data security, the risk of a personal data breach is significantly reduced.
Which businesses are using PETs?
The NHS is currently estimated to hold the health data of over 55 million individuals. Privitar, ranked as one of the fastest-growing technology companies in the UK by Deloitte Fast 50, is the provider of a single PET solution that is used NHS-wide. Through using this solution, one of the major benefits is the ability to de-identify data and ensure only certain parts of the organisation can reidentify data for security reasons. This allows research and analytics to be carried out on the data, without providing sensitive data to third parties.
FCA Tech Sprint
The FCA launched a global anti-money laundering and financial crime tech sprint, which focused on how the sharing of information can tackle money laundering and financial crime concerns. The participants of the tech sprint presented solutions on how PETs can be used to tackle money laundering and financial crime. Inpher, Goldman Sachs and Standard Chartered developed a solution to allow data to be shared between multiple institutions to identify suspicious transactions and patterns of concern.
The ICO is currently calling for views on its draft guidance in this area. Whilst the PET market continues to develop in terms of product offerings, there are still some hurdles to widespread implementation, from their complexity to implementation costs. However, this is certainly an area to watch, as more businesses are adopting PETs as part of their global data strategy.
Shema Bugum, Trainee Solicitor TMT Group, contributed to the writing of this article.