In June 2023, the Information Commissioners Office (ICO) released a statement encouraging organisations to start using privacy-enhancing technologies (PETs) to share people’s personal information safely, securely, and anonymously.
It published corresponding guidance separated into two parts. The first part is aimed at DPOs (data protection officers) and those with specific data protection responsibilities in larger organisations, focusing on how PETs can help you achieve compliance with data protection law. The second part is intended for a more technical audience, and for DPOs who want to understand more detail about the types of PETs that are currently available. It gives a brief introduction to eight types of PETs and explains their risks and benefits.
Organisations should take note of the new ICO guidance which shines a light on the opportunities available through the introduction of PETs, as well as the risks for companies that fail to complete due diligence ahead of integrating them into business systems.
What are privacy-enhancing technologies (PETs)?
PETs are technologies which are deployed to support businesses to collect, store, and process information. A business might use these technologies to support the organisation and minimise the risk of data breaches, all while preserving the data's utility. There are several different PET techniques and applications, such as:
- Anonymisation tools
- Encryption techniques
- Trusted execution environments
- AI-generated synthetic data
- And others.
As businesses become increasingly dependent on data and collect more and more of it, it's crucial DPO’s bring the right departments together so organisations can make informed decisions when deciding what PETs to employ .
Financial services one step ahead
Business sectors are at different points in their journey towards employing the effective use of PETs. The financial services sector is one step ahead due to the nature of the data they collect and use. They are also used to operating in a regulated environment under the close watch of the Financial Conduct Authority (FCA). Retailers however aren’t quite as far along in their PET journey, despite managing vast volumes of data. The NHS launched a tender for its own PET in June 2023.
It’s not just the big corporates like those in finance and retail who need to have a good understanding of PETs though, it’s any size of business. Once you understand how they can benefit your business, the next step is making sure potential products are vetted by the right people in your organisation.
Corporates are always at risk of making decisions that aren’t joined up due to the scale of their operations, knowing which areas of the business really need to work together can help.
When it comes to selecting and deploying PETs, we’ve found there is sometimes a disconnect between DPOs, IT specialists and legal teams. Organisations designing new products and services should engage these skill sets early in the process to get the best results.
The financial services sector has already demonstrated how this works. When developing a new service line that requires privacy-enhancing technologies this sector brings the privacy team and/or DPO and the legal team into the conversation during the design stages. This means they can discuss what they need the PET to do with data e.g. do they need to keep identifiers? Make it anonymous? Or pseudonymised? (an alternative reference is affixed) They also get the chance to discuss whether certain options will be compliant with the legal team and the appropriate PET can be chosen.
It isn’t cost effective for a business to invest senior resource in selecting, trialling, and consulting on new AI software, then consult the legal team at the end of this process, who then raise questions about whether this new product functions in line with company values or compliant with the ever-changing regulations. It’s better to involve the legal team at the demo stage so these queries can be ruled out.
Do your due diligence
It’s not just the legal team’s skills that corporates should lean on. Although the recent guidance from the ICO is undoubtedly designed to support UK businesses embrace the opportunities available through PETs, it doesn’t take away from the need for businesses to do their due diligence on this emerging technology. DPOs and privacy teams need to question whether the PET they’re considering does everything that the marketing or salespeople of the technology provider claims.
Getting your own IT departments to test and challenge any PETs you’re considering where you proactively test your system for vulnerabilities is an essential step in the process. Even with testing it won’t mean you can avoid all possible data breaches but you will have a better understanding of whether the PET you’re investing in ‘does what it says on the tin’.
It’s important to consider how PETs fit into your wider security system, they can’t work in isolation like all AI tools. Is it normal for one of your consultants to be logging into your IT system from New Zealand? Is one of them on holiday there? That’s not something a PET will know. To solely rely on the technology is a misstep, it still needs human interpretation.
PETs are already an essential part of today’s business toolkit when managing data and there are new ones emerging all the time. When it comes to businesses working out which ones to use and where, while remaining compliant and trying to avoid potential data breaches, it needs a collaborative cross-organisational effort in the early stages of design, with DPOs, the IT department, and legal teams all around the table.