The Center for Data Innovation spoke with Marcus Grazette, Europe Policy Lead at Privitar, a UK-based firm providing data privacy software. Grazette discussed how the company works to foster data usage and data sharing while protecting privacy.
Christophe Carugati: How does Privitar’s platform work?
Marcus Grazette: The Privitar Data Privacy Platform enables organizations to use and share sensitive data responsibly. The platform includes tools to manage and mitigate privacy risks to individuals, supports data management and provides a centralized, scalable approach to data provisioning.
For example, the platform includes de-identification tools, which reduce the likelihood that an individual can be identified within a dataset. These tools also support data minimization, by allowing our customers to tailor the level of precision in data to match the requirements for a specific purpose. For example, transforming a specific date of birth (10/02/1981) into an age range (40 – 45) could provide the information necessary for customer segmentation and reduce the risk to the individual.
The platform creates secure Protected Data Domains (PDDs), within which data can be linked, while preventing linkage across domains. PDDs can be watermarked, to enable traceability and support audit. Creating specific PDDs for specific purposes within an organization supports the data minimization and purpose limitation principles in the GDPR. Privitar PDDs and watermarks can integrate with an organization’s data lineage tools and data governance processes.
The platform enables a centralized approach. Organizations can build policies that describe how data should be de-identified. Policies are reusable, enabling consistency across the organization and speeding up data sharing.
Christophe Carugati: Legislation, such as the GDPR, have been barriers for companies that want to innovate with data. How can companies use your platform to overcome these regulatory hurdles better?
Marcus Grazette: Data protection rules aim to protect individual rights and freedoms. The GDPR requires organizations to assess the risks processing can create for individuals, and to take measures to reduce that risk. Privitar enables compliant data use by demonstrably reducing the risk to individuals.
For example, the GDPR allows “legitimate interest” processing. The organization can use data in pursuit of a legitimate interest, such as analytics, machine learning, or product development if three conditions are met. First, that purpose is “legitimate,” second the data is necessary for that purpose, and third the interest is not overridden by the individual’s interests. The third step involves a balancing test. The organization should weigh the impact on individuals of using the data against the organization’s interest.
Privitar can help to tip the balance in favor of processing. Our customers use the Privitar Platform to demonstrably reduce the risk to individuals by de-identifying personal data, while retaining the utility necessary for their intended purpose. For example, applying consistent, format-preserving tokenization to an individual’s email creates a value that is useful as a record key, allowing an analyst to link tables in a dataset, but does not directly identify an individual.
Privitar also helps with effective data minimization. Customers use our Platform to generalize data, ensuring that only the level of detail necessary for the specific purpose is retained. For example, the organization’s marketing team may only need access to customer age ranges (e.g., 30 – 35), to design a campaign. Allowing that team access to full dates of birth could contravene the data minimization principle in GDPR and expose individuals to unnecessary risk.
Carugati: Your clients range across industries—healthcare, telecoms, banking. How are their data challenges the same, and how do they differ?
Grazette: They are similar in that they all collect sensitive personal information, and that they want to generate value from that information. For example, by using extracts from the data they collect to undertake analytics, to build machine learning models or to collaborate with others through data sharing arrangements.
They are different in that they operate in specific regulatory contexts. Data protection law applies across sectors. But specific industries have specific rules about how and when they can use data. For example, banks have legal requirements to act on fraud, and health data is subject to the UK’s common law duty of confidentiality.
Carugati: Sharing sensitive data, such as genome data, at scale has been important during the pandemic. What changes to data sharing practices have you seen during this time?
Grazette: The COVID-19 pandemic has highlighted the importance of data sharing for research purposes. Our work with NHS Digital supports this.
We’ve seen a huge focus on “time to data,” in other words reducing the amount of time between a health researcher submitting a request to access some data and the researcher being granted that access.
There are a number of ways for organizations to speed up access to data. This includes making datasets more visible on data marketplaces, such as the Health Data Research Innovation Gateway, building robust data sharing processes (in other words, creating data readiness), and applying precedent-based triage to data access requests.
Carugati: What new capabilities are you working towards incorporating in future versions of the platform?
Grazette: Throughout 2021, we are building out the Privitar Data Privacy Platform and expanding capabilities to include enhanced privacy risk management, automated privacy protection, regulatory-focused solutions, and enhancements for cloud platforms.