Rabobank reveals unusual GDPR compliance technique

The EU General Data Protection Regulation (GDPR) is now in effect, and whether you’ve achieved compliance or are still working towards it, we imagine you’ve found the process tough. You might also describe it as stressful and perhaps even educational, but we doubt you’d use the word ‘fun’.

However, employees at financial services company Rabobank are reportedly having a blast. The Dutch organisation revealed that it is using a creative cipher to help employees pseudonymise personal data. Customers’ information is being replaced with the Latin names for flowers, meaning anyone who gains unauthorised access to the bank’s databases will see a list of realistic but ultimately unusable alter egos.

That might not sound like your idea of fun, but Rabobank has been proudly boasting of this creative solution to GDPR compliance. And as its employees might say: suum cuique.

What’s the modus operandi?

Pseudonymisation masks data by replacing personal data with artificial identifiers. Although it is central to protecting data – being mentioned 15 times in the GDPR – and can help ensure an individual’s privacy, pseudonymisation has its limits.

For one, it only replaces part of the data set. For instance, an individual might be given a new name, address or date of birth. So, for all of Rabobank’s originality in masking data, it can only be of so much use. The problem isn’t with using Latin, per se, but no matter how you pseudonymise information, it still contains personal data and is therefore subject to the GDPR.

There are a couple of exceptions. Pseudonymised data isn’t subject to the GDPR’s requirements surrounding individuals’ rights. After all, organisations can’t comply with a right of access if they don’t know who the data belongs to. Even if they could, the data subject would receive information that is, naturally, inaccurate.

Additionally, organisations that pseudonymise data are permitted to use it for purposes other than that for which it was originally collected. The Regulation states that “the existence of appropriate safeguards, which may include encryption or pseudonymisation” gives organisations more flexibility with data use. However, other uses must be “compatible” with the initial purpose – the meaning of that term is outlined in Article 6(4) of the Regulation.

High-profile organisations such as Apple, Google and Uber have begun pseudonymising data so that data analysts can use the information without worrying about data privacy. This practice will soon become more common as organisations take advantage of its benefits. It’s yet to be seen whether this will spark a resurgence in the use of Latin.


Pseudonymising your data

You can get help pseudonymising your organisation’s data with our EU General Data Protection Regulation (GDPR) Documentation Toolkit.

ISO 27001 ISMS Documentation ToolkitThis toolkit contains templates for every process you need to comply with the Regulation, including pseudonymisation. It also contains expert guidance on what data you should consider pseudonymising, how to achieve this and what alternatives you have.

Learn more >>

corporate account

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.