IBM is helping increase preparation for GDPR with a hybrid-like approach to encryption and anonymization, according to Michael Osborne, manager for Privacy and Security at IBM's Zurich Research Lab, in an interview with CIO Dive. The offering is called the IBM High Assurance Desensitization Engine and uses pseudonymization in lieu of completely anonymizing data, which could lead to potentially "breaking" the data, he said.
Unlike full anonymization, the engine doesn't change the data to protect it, instead it is "replacing pieces so you remove the identity, but you still have the utility and analytics of the data," Osborne said. The offering works like a service but it's not "fixed in a cloud" and can be put in a mainframe or behind middleware, he said. It works as a "floating software" using container technology.
- Rabobank, a Dutch banking and financial services company, uses the technology to assign the names of Latin flowers for customers' pseudonyms, according to a company blog post. The bank's DevOps team uses pseudonymization to test real personal data while piloting apps and services. The ability to experiment with real data will be against GDPR restrictions come May 25. The engine converts names, birthdays, addresses and other types of personally identifiable information into a series of random identifiers.
Security experts largely agree that a data breach is not a matter of "if," but "when." GDPR is meant to create a sense of transparency between organizations and their consumers and also assure the protection of data.
Most organizations are focussing on the processes and consulting aspects of GDPR before the May 25 deadline. But when policies alone aren't enough, technology may be the next best solution. Many companies looking to comply with GDPR and, predicting a similar shift in American data protection laws, are looking to technology for help.
Technologies like Big Blue's pseudonymization will not only help confuse an attacker but also avoid any fines associated with a breach, according to Osborne. The tool not only protects the data itself, but those handling it.
Developers can work in good conscious by using pseudonymised data that "looks and feels real" during the experimental phases of a project. IBM's engine takes a "name or identifier in one context and changes it in another context" effectively "de-identifying" the data, granting a new identity in a new context, said Osborne.
But there are some companies that are still just struggling with policies alone. Only half of companies that expect to comply with the standards are fully or somewhat ready for GDPR.
There are also companies that choose not to comply with GDPR and opt out altogether by cutting ties with their EU customers. Enforcers of the regulation are struggling to lock down the funds and laws to perform their duties to full capacity.