6 industries that must take GDPR compliance and data anonymization seriously

by Ekobit June 23, 2018
The connection between GDPR and data masking

GDPR enforcement date is approaching and it appears that many companies are still not properly prepared.

It seems that many lack the proper understanding of all aspects of private data protection. GDPR affects each organization that processes EU citizens’ data, but achieving compliance may be particularly challenging for certain industries. Let’s discuss a few examples.

1. Banking

The banking industry is a case in point when it comes to data anonymization or data masking. They manage large databases that contain a lot of sensitive data and proprietary files. Imagine what happens if an ex-client informs a bank that she wants to exercise the right introduced by GDPR, the right to be forgotten. Should records related to that client be deleted from the bank’s databases? What would happen with totals and balances in that case? Compared to other organizations that track the information that has to be forgotten, banks also have to define strategies to handle complex relationships from every single table where personal data is placed. When this happens, banking companies will have trouble with locating all information and preserving referential integrity across their databases and systems.

2. Financial services

Companies offering financial services may not always be motivated by GDPR when it comes to data protection. GDPR will force them to comply with its rules and at the same time to protect sensitive personal data from data breaches. Take two examples from last year. Deloitte, a corporate finance giant experienced a cyber-attack that compromised confidential data of some of its clients, such as private emails. Another corporate giant, Equifax, suffered an even larger data breach. The company is a consumer credit reporting agency. Equifax collects and aggregates information on over 800 million individual consumers. Both companies deal with sensitive information from many clients on daily basis. How could they be sure that some excel file in a computer does not contain sensitive information?

3. Credit card processors

Card processors typically have to deal with thousands of files that eventually end in large databases. What data should they use for testing of imports? To comply with GDPR, they should decide to use anonymized data. In such case, they would have to anonymize databases and files in sync. In addition, they would have to anonymize files arriving later, after the initial anonymization is done, in such a way that new files would also be in sync with the database and files imported initially.

4. Insurance companies

Protection of private information in insurance sector comes with a challenge of exposing sensitive information that could cause a permanent damage. For example, in health insurance, if a medical record of a person contains information about a disease, this person could be marked for life if this information becomes public. To prevent cases like this, insurance companies need to apply “minimum needed” principles. That means to use real data only when it is necessary and anonymize values that do not influence the processing of the person.

5. Delivery and logistics

Although companies in this sector would not come immediately to one’s mind, there are many reasons why GDPR affects their business policies. Delivery companies manage private data about their customers such as addresses and contact details. Even more important, this same information is exchanged with partner online shops. So delivery companies need real information to carry out their everyday business, but the question is what happens with this information after a delivery is made?

6. Telecom operators

The last industry worth mentioning is definitely the telecom area. It should be no surprise that these companies are strongly affected by GDPR. Telecoms have a large number of users that share their private data with them and they regularly launch new services that also need testing before the market launch. So are they allowed to use production data for their development efforts? Absolutely not. In fact, they probably require enterprise solution to keep sensitive information anonymized at different levels.

There is one thing that companies in these industries have in common. Many of them report high annual revenues. Considering GDPR fines that are calculated as a percentage of the annual revenue, they should invest some effort to prepare their process on time. Nevertheless, many companies still perceive the aspect of data anonymization as something that has lower priority when starting with the implementation of GDPR practices.

Could GDPR have a significant impact on your industry as well? Could anonymization/masking help you to avoid fines and protect your reputation? Contact us to learn more.

Related Articles