Data Matters Privacy Blog ICO Releases Draft New PET Guidelines
On September 7, 2022, the Office of the Information Commissioner (“ICO”) published draft guidelines (“Tips”) on privacy technologies (“Pets”). It is hoped that the Guide will help organizations gain the confidence to use PETs to develop innovative applications without compromising privacy concerns or trust. The Guide is divided into two sections: (i) how PETs can contribute to data protection compliance; and (ii) what are PETs. We look at the main learning points of the tips below.
What are PETs and why is the ICO interested in them?
PETs are not defined in data protection law, but the European Union Agency for Cybersecurity (“ENISA”) defines them as “systems encompassing technical processes, methods or knowledge to realize specific privacy or data protection functionalities or to protect against the privacy risks of an individual or a group of people physical”. The Guide provides a more practical explanation of what PETs are – explaining that they are “enablers” that extract value from data while ensuring data security.
The ICO is interested in PETs because, although they are growing in popularity, they are not yet routinely used by all businesses. The ICO is keen to encourage adoption and research in the field by providing greater clarity on these technologies. At the same time, the ICO also seeks to ensure sufficient guidance for organizations on How? ‘Or’ What to use PET legally. Indeed, time is running out, as Gartner, the American consulting firm, predicts that PETs will be adopted by a majority of large organizations by 2025.
The ICO has been clear about the data protection benefits of PETs. These benefits include helping organizations comply with data protection principles, in particular data minimization, purpose limitation and security. PETs are also intrinsically linked to the concept of “data protection by design and by default” (Article 25 of the GDPR). It is the idea that data protection must be “integrated” into your processing from the design phase to the deployment of any technology. PETs can enhance data protection by providing a way to demonstrate GDPR Article 25 compliance.
What are PETs?
PETs can be divided into three main categories:
- PET scans that reduce the identifiability of individuals;
- PETs that focus on masking or data protection; and
- PETs that control access to certain parts of the data.
How can PETs help my business?
While the Guide defines many different types of PET, below we list three key technologies and how a business could use them to support data protection:
- Homomorphic (“HE”) encryption – it allows you to perform calculations on encrypted data without decrypting it first. HE has the potential to support GDPR-compliant international data transfers by allowing personal data to be stored and processed outside of the EU, but only allowing decryption on servers located in GDPR-compliant locations. GDPR.
- Secure Multiparty Computing (“SMPC”) – it is a protocol that allows at least two different parties to jointly perform processing on their combined data, without either party needing to share all of its data with each of the other parties . This could help, for example, healthcare providers like the UK’s National Health Service who regularly need to share information with different organizations that work with their patients.
- Trusted Execution Environments (“TEEs”) – it is a secure area inside the central processing unit of a computing device. It allows code to be executed and data to be evaluated while isolating that data from the rest of the system. For example, biometric data about users can be separated from insecure applications and used only for agreed purposes, for example, unlocking a user’s phone.
How can PETs be used in a GDPR-compliant way?
PET scans are not without risk and the Guide recommends considering the following:
- undertake a data protection impact assessment (“DPIA”) to assess whether the use of PET is appropriate for an organization’s needs. The assessment should take into account the nature, scope and purposes of the processing, as well as the maturity and cost of the PET.
- the scalability and complexity of a PET.
- the protections provided by PETs and its robustness against attacks and data leaks.
What can we expect from this domain in the future?
The Guide shows that PETs are here to stay – as is the regulator’s interest in regulating them. To that end, the ICO presented its work on PETs at the 2022 G7 Data Protection and Privacy Authorities Roundtable held in Bonn, Germany, on September 7-8. G7 data protection authorities agreed that PETs have great potential, but stressed that regulators, governments and industry need to examine them further in the coming months. It will be interesting to see how standards, laws and guidelines evolve as this multi-stakeholder dialogue continues.