The GDPR and Controlled Linkable Data Balancing the Interests of Regulators, Data Controllers and Data Subjects

25 Pages Posted: 6 Mar 2017 Last revised: 18 Nov 2022

See all articles by Mike Hintze

Mike Hintze

Hintze Law PLLC; University of Washington School of Law; Future of Privacy Forum

Gary LaFever

Anonos Inc

Date Written: September 6, 2017

Abstract

The new obligations imposed by the General Data Protection Regulation (GDPR) do not prohibit the use of personal data for analytics or other beneficial secondary uses. But they do require the adoption of new technical and organizational measures to protect that data. The GDPR explicitly points to pseudonymizing as one such measure that can help meet the requirements of several of its provisions. The GDPR further recognizes differing levels of de-identification in a way that provides incentives for organizations to adopt the optimal type and level of de-identification that can help them use personal data for bene cial purposes while meeting their compliance obligations and protecting the privacy of individuals.

By enabling the use of “Controlled Linkable Data” (as described in this White Paper) that retains the utility of personal data while helping to meet organizations’ compliance obligations and to significantly reduce their risk of liability, Anonos® BigPrivacy® technology can help organizations navigate and meet these new GDPR requirements. Thus, Anonos BigPrivacy technology can ease regulatory burdens and be a key component of an overall GDPR compliance program.

The body of this paper describes in detail the regulatory background, technological innovations, and practical applications of Controlled Linkable Data, leading to the maximization of data value and individual privacy in a GDPR-compliant manner.

First, in Section III, we introduce the concept of Controlled Linkable Data in the context of the GDPR. Next, in Section IV, we describe the GDPR’s new requirements, focusing on the distinction between privacy by design and data protection by default, and noting that the former is merely a subset of the latter, making it insufficient to satisfy the GDPR’s stringency. We also introduce the essential concept of Controlled Linkable Data. In Section V, we explain how Controlled Linkable Data enables a more powerful form of de-identification, one encouraged by the GDPR, but which has previously not been achievable by technical methods. This leads to the conclusion that “data protection over the full lifecycle of data by leveraging technical and organizational measures, including pseudonymisation, [ensures] that, by default, personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.” Next, Section VI analyzes numerous relevant sections of the GDPR (specifically, Articles 5, 6, 11(2), 12(2), 15-22, 32-36, 40, 42, 82 and 88), showing how Controlled Linkable Data helps satisfy the specific GDPR requirements. Last, in light of this understanding of the requirements, limitations, exclusions and overall principles of the GDPR, Section VII explains the technical basis of Anonos BigPrivacy technology, how it implements Controlled Linkable Data, and how this solution addresses GDPR compliance concerns for all parties: data controllers, regulators and data subjects.

Global firms that gather, use or store GDPR personal data should consider the possibility that Controlled Linkable Data as described in this White Paper enables secondary uses of data while ensuring compliance with GDPR requirements.

Keywords: GDPR, Big Data, Controlled Linkability, Controlled Linkable Data, GDPR Compliance, Data Analytics, Data Protection by Default, EU GDPR, General Data Protection Regulation, Anonos, BigPrivacy

JEL Classification: K00, K1, K1, K13, K2, K23, C80, D18, D80

Suggested Citation

Hintze, Michael and LaFever, Gary, The GDPR and Controlled Linkable Data Balancing the Interests of Regulators, Data Controllers and Data Subjects (September 6, 2017). Available at SSRN: https://ssrn.com/abstract=2927540 or http://dx.doi.org/10.2139/ssrn.2927540

Michael Hintze

Hintze Law PLLC ( email )

505 Broadway E #151
Seattle, WA 98102
United States

University of Washington School of Law ( email )

William H. Gates Hall
Box 353020
Seattle, WA 98105-3020
United States

Future of Privacy Forum

United States

Gary LaFever (Contact Author)

Anonos Inc ( email )

228 Park Avenue South
New York, NY 10003
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
937
Abstract Views
3,277
Rank
46,558
PlumX Metrics