The Information Commissioner’s Office (ICO) has recently published its draft guidance on privacy-enhancing technologies (PETs) to help organizations adopt data protection by design approach to data processing.
PETs can help organizations share and use people’s data securely by minimizing the amount of data used through the encrypting or anonymizing of personal information. Some of the technology’s applications include money laundering investigations conducted by financial organizations and the healthcare sector’s push to use data from various sources to provide better health outcomes and services to the public.
ICO indicated that PETs can help to demonstrate a “data protection by design and by default” approach which is important in the context of “need to know” and “only process the data you need” compliance principles. Using PETs can reduce the data leakage risks for the companies and individuals in terms of data storage, processing and accessing as it prevents access from any unnecessary data.
In terms of corporate KYC, there are three big questions regarding it’s application for crypto and Web 3.0, namely:
- Can we rely on third parties to protect our data?
- How much personal information do we need to collect?
- Do we always have to collect all documents?
If one looks closely at the core problems that the current regulations are trying to solve, one can quickly come to the conclusion that our current methods of data processing to increase data protection are outdated. On the other hand, PET-like secure-multiparty computation (SMPC) or zero-knowledge proofs such as zkSNARKs are perfect for solving these problems.
“Although the use of PETs is in its early stages, it can unlock safe and lawful data sharing where people can enjoy better services and products without trading their privacy rights. In the UK, one example is the NHS building a system for linking patient data across different organisational domains.”
– John Edwards, UK Information Commissioner
PETs are technologies which embody fundamental data protection principles by minimizing personal data use, maximizing data security, and empowering individuals.
A helpful definition from the European Union Agency for Cybersecurity (ENISA) refers to PETs as:
“software and hardware solutions, ie systems, are encompassing technical processes, methods or knowledge to achieve specific privacy or data protection functionality or to protect against risks of privacy of an individual or a group of natural persons.”
This concept of privacy by design is close to the heart of every compliance and security professional and can therefore be applied to the technical measures one can put in place. PETs can effectively assist in complying with the data protection principles and are a means of implementing data protection by design within your organization on a technical level.
- PETs can help you demonstrate a “data protection by design and by default” approach to your processing.
- PETs can help you to comply with the data minimisation principle by ensuring you only process the data you need for your purposes and provide an appropriate level of security for your processing.
- You can use PETs to access datasets that would otherwise be too sensitive to share, while ensuring that individuals’ data is protected.
Are PETs anonymisation techniques?
PETs and anonymisation are separate concepts but remain related. Not all PETs result in adequate anonymization but anonymization may also be achieved without using them.