I was at a NextSales meeting with a company that has a solution for anonymizing and pseudonymizing data. Risky data it is. And I must say I was happy to be there. As it turns out they have a solid solution for one of the biggest problems in the IT&SAM field: anonymization of user, personal, commercial or other European GDPR (General Data Protection Regulation)related data.
As software audits are still more and more executed I need to inform more and more organizations about the risk of delivering data to the auditor at his request. Because of the fact that delivering this data can be seen as a data breach or leak, your company is not only at risk for a license incompliance fee, but also for a fine that can amount to astonishing numbers (4% of the annual turnover).
Is this solution absolute fail proof? They honestly answered no. And that’s correct because if anyone wants to deliberately crack the safe, he or she will find a way. It is, however, one of the safest (and quickest) ways to do this I’ve seen up till now.
So, there’s a way to get an agreement with the auditor for handing over data that was up till now not done with regards to local and European laws and regulations. And it still might be a risk due to your local laws. But it’s at least a way to breach an impasse.
Next topic would be the cost of this anonymization: should you or the auditor/publisher pay for this service? Well there’s a discussion that could go either way.
Another huge risk everyone takes unknowingly
The other very interesting knowledge I gathered during this meeting was that in fact it is forbidden by law to copy your operational user data and use this in your test environment (unless you build a DTA environment according to the same security, authorization and risk rules as your production environment, which is seldom seen because of the enormous costs involved with that). This solution makes it possible to still make use of that data without the former costs and risks.
Come to think about it; this also is valid for HR data, commercial data and security data. Although the GDPR is effective as from May 2018 you’d better be prepared for it as soon as possible.
Help is available
For more information on this topic just contact me or my colleagues at In2SAM and we will help you cover this risk!
IT&SAM expert, evangelist
COO at In2SAM BV