Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Are you prepared for eu gdpr indirect identifiers? what are indirect identifiers?

222 views

Published on

What is your solution for GDPR’s Indirect Identifiers? Many aren’t sure what they are and will probably be unsuccessful when attempting to become GDPR compliant. Allow me to explain.

As a software development manager, I must confess that the Discovery & Remediation of Indirect Identifiers was the most complex project I have managed in my 33 years in the industry.

First, let me explain what an Indirect Identifier is. According to the “Privacy Technical Assistance Center of the U.S. Department of Education, it means “Indirect identifiers include information that can be combined with other information to identify specific individuals, including, for example, a combination of gender, birth date, geographic indicator and other descriptors.”

Published in: Data & Analytics
  • Be the first to comment

  • Be the first to like this

Are you prepared for eu gdpr indirect identifiers? what are indirect identifiers?

  1. 1. What is your solution for GDPR’s Indirect Identifiers? Many aren’t sure what they are and will probably be unsuccessful when attempting to become GDPR compliant. Allow me to explain. As a software development manager, I must confess that the Discovery & Remediation of Indirect Identifiers was the most complex project I have managed in my 33 years in the industry. First, let me explain what an Indirect Identifier is. According to the “Privacy Technical Assistance Center of the U.S. Department of Education, it means “Indirect identifiers include information that can be combined with other information to identify specific individuals, including, for example, a combination of gender, birth date, geographic indicator and other descriptors.” To accurately find Indirect Identifiers you must know all the metadata of all your enterprise data, including structured and unstructured data, and data contained in PDFs, Office Documents and other sources of data assets. When Indirect Identifiers are scattered across multiple files containing data for many individuals it is first necessary to find the records associated with each unique individual. To accomplish this, it is necessary to join the records by Direct identifiers successfully before you can decide if Indirect Identifiers exist across those files, and they positively identify individuals. After all, files may contain gender, date of birth, and geographic indicator but never all three for a specific individual. If no individual has all three of these fields present in your data, then you are GDPR compliant for this Indirect Identifier set of fields. To join records for individuals you first need a field to be present in those files that will uniquely identify individuals; these fields are called Direct Identifiers, let’s see their definition from the same source as above. What is a Direct Identifier? “Direct identifiers include information that relates specifically to an individual such as the individual’s residence, including for example, name, address, Social Security Number or other identifying number or code, telephone number, e-mail address, or biometric record.” Having a centralized repository to house all your metadata is the next requirement to create a reasonably efficient Indirect Identifier discovery process. Once all the pieces are present in one location, joining data from multiple files is not as daunting. It is also important that your central repository be able to accept data from many sources regardless of its structure or format. The repository must also be scalable, affordable and able to deliver high levels of processing power that allows files to be joined by Direct Identifiers or other Keys such as national health ID, social security, Credit Card, address, email etc. The joining process can then occur that will accumulate data assets from all the files and their columns to one another (yes, many permutations will occur). Once these relationships are found some human intervention must occur to decide which of the Indirect Identifier(s) should be encrypted or removed to break up the Indirect Identification group of fields.
  2. 2. The EU GDPR requirements are vague, but general opinion is that the GDPR still prohibits sets of fields that identify a small group of individuals and not necessarily a specific individual. An example would be Gender, Date of Birth and Postal Code, which is only 87 % accurate in identifying specific individuals. So, unless your Company has nearly 100% of its data assets housed in a Big Data environment somewhere, you probably have lots of work ahead of you. If your Company is like most, especially larger companies, you still have mainframes, AS400’s, desktops, servers (from many manufacturers of many different sizes running a multitude of RDBMS’s), Cloud applications, IoT and other forms of storage that may fall under the EU GDPR umbrella. Just identifying all of this, is a major undertaking. After all your data is in a file system that can store, manage and provide massive amounts of processing power you are ready to get to work. Next is to write a multi-step series of programs that can take advantage of the scalability of the file system, be able to read all the file types and formats, store this information and make it sharable and collaborative, and then Discover Direct and Indirect Identifiers while also providing for data remediation in the form of data encryption, removal, or sequestering / quarantining of files. GDPR is not a once in a lifetime or once a year Requirement, it is an every day responsibility. If you are hacked and can’t demonstrate ongoing processes for remediation of Direct and Indirect Identifiers you may still be subject to substantial fines, risk of a major hack causing loss of customer, reputation and unmanageable fines and legal fees. An additional EU GDPR requirement is to provide customers with the ‘Right of Erasure’ also known as the ‘Right to be Forgotten’. This means a company must discover and remediate all data related to an individual that isn’t required for existing business activities with that individual. As an example; if you are maintaining lease agreements with an individual you must keep certain identifiers to continue maintaining that agreement, however you should make sure all that required data is encrypted and is never shared with other business partners or entities. Any Identifiers that are not required for legitimate business purposes must be removed. To provide an individual with the ‘Right of Erasure’ will certainly require discovery and remediation of all Direct and Indirect Identifiers before achieving a true solution. After reading these descriptions of GDPR requirements it may seem like an overwhelming task to reach compliancy with EU GDPR. However, some software vendors realized long ago that software solutions would be more than just problematic to develop ‘In-House’ and designed Software Applications specifically conceived to meet GDPR mandates. Don’t settle for solutions that require 6 months or a year to implement, there isn’t time. Look for a product that uses a common platform to assemble disparate data stores; that may be the only way to discover Indirect Identifiers. Look for solution that don’t require an army of data scientist to interpret results. Don’t break the bank to purchase a solution; there are products with reasonable pricing structures that have quick implementation a short as a day and start delivering day one and can give you a qualified accurate intelligent view in days. Reach BigDataRevealed (a software application) built for GDPR to facilitate protecting your customer’s valued & confidential data at privacyinfo@bigdatarevealed.com or (847) 440-4439.

×