Criteria to anonymize information objects that contain personal data

Criteria to anonymize information objects that contain personal data

I recently published an article explaining why it is important to manage Information Objects in the CMDB. An important step is to classify what kind of data is captured in this object. In this article, I would like to go deeper into this if it is Personal Data, also known as Personal Information or Personally Identifiable Information (PII). This means any information that relates to an identifiable individual ("natural person"). The concept of PII has become prevalent as information technology and the Internet has facilitated the collection of PII, resulting in a profitable market for the collection and resale of PII.

Important confusion arises around whether PII means information which is identifiable (that is, can be associated with a person) or identifying (that is, associated uniquely with a person, such that the PII identifies them). In prescriptive data privacy regimes such as HIPAA, PII items have been specifically defined. In broader data protection regimes such as the GDPR, personal data is defined in a non-prescriptive principles-based way. Information that might not count as PII under HIPAA can be personal data for the purposes of GDPR.?

For this reason, "PII" is typically deprecated internationally, but I don't want to go into how you come to classify an information object in your CMDB as PII, because that depends on exactly what data privacy regimes you are subject to, but I want to cover the aspect that often becomes necessary when this data is passed on to other third party systems - anonymization

What is anonymization?

The concept of anonymization - a concept that, despite its ambiguities, is critical to compliance programs around the world - can unfortunately also be confusing across jurisdictions. Specifically, the GDPR defines anonymous data as data that “does not relate to an identified or identifiable natural person or to personal data rendered anonymous” so “the data subject is not or no longer identifiable.” Data that meets this criteria is therefore not subject to the GDPR, making anonymous data the holy grail of data protection.

Nowhere is this standard more important than in the EU, which has set the bar for regulating data use and whose regulations companies rightly focus on when setting up global compliance programs for their data. In other words, proper anonymization of EU data is a key component of any global strategy focused on responsible data collection and use.

But it’s unclear what “anonymization” means in practice. This is something even the regulators themselves acknowledge, with Spain’s DPA, the Agencia Espa?ola de Protección de Datos releasing a?document?titled “10 misunderstandings related to anonymization” to clarify the exact issues.

Unfortunately, the EU's legal anonymization standards are among the most difficult to implement in practice and have long been criticized for their vagueness.?Currently, however, it looks as if the problems related to anonymization in the EU may soon be addressed, if not solved altogether. While the European Data Protection Board has not yet published guidelines on anonymization, three recent initiatives show that the EU institutions are increasingly taking a more pragmatic and workable stance. Two legislative proposals, first the Data Act, and second the European Health Data Space Regulation, and third the SRB v. EDPS court ruling all have in common that the only way to share data is to first establish that data is not personal data using a risk-based approach.

More specifically, since all data can technically be used to infer personal information, the only way to apply privacy law is to assume that a risk-based approach to anonymization is a valid option and that a reasonably low residual risk of identification is sufficient.??

What means Risk Based Approach

For example, the original Article 29 Working Party guidance suggested that a risk-based approach to anonymization is possible. A risk-based approach to anonymization takes into account the residual risk that the data could theoretically still be identified in the future - the lower the risk, the stronger the claim for anonymization can be. This risk-based approach is used in several jurisdictions and is a central tenet of anonymization standards in the United States. The Federal Trade Commission, for example, promoted this standard in 2012 and has since shaped state privacy laws in the US. A risk-based approach typically requires tight control over how data is reused. That's why well-known data environments with monitoring and auditing capabilities, like your comprehensive CMDB on ServiceNow, are so important.

The risk-based approach in ServiceNow GRC

Thanks to the continuous monitoring of risks on different entity types, it is easy to establish a corresponding set of rules in ServiceNow GRC, which automates the necessary assessment, includes the evidence posture for it, and also derives and checks further controls and measures comprehensively.

As soon as a new information object is created or receives a certain status, all predefined rules become effective and the corresponding questionnaire is triggered. The final result of the evaluation clearly indicates whether it is possible to anonymize this information object and pass it on at will.

No alt text provided for this image
exemplary flow

Conclusion

If you can anonymize data, regulations like the GDPR simply no longer apply — not their onerous requirements on handling data and not even their very high fines. From a compliance standpoint, anonymous data makes your life easier. With the rapid adoption of artificial intelligence, which is typically trained on vast amounts of data, the need for clarification has only grown stronger, as has the push for standardization.

The ServicNow CMDB helps you with the entire capture of your information objects, and their relationships to applications, as well as logical and physical interfaces, and of course with the assignment of responsible and accountable persons. You can automate the entire process of categorization and anonymization checking to achieve a high standard of compliance and reduced risk.

As always I look forward to discussion and additions.

? 2023 ServiceNow, Inc. All rights reserved.?ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the United States and/or other countries.?Other company and product names may be trademarks of the respective companies with which they are associated.

Peter Resch-Edermayr, MSc

Service > Digital > Vital

1 年

There is still a long way to go from the current CMDB, which just contains end devices like laptops, printers and servers, to a fully integrated solution that also maps data assets, processes and capabilities of the organization.? It's a good thing to be able to relate this information all in one place and finally have an all-around view of people, processes, technology and data.? Thanks to CSDM this is now the case and this is probably IT management -finally. Now we "only" need a process model for OCM - the organizational change management to bring the necessity of the application into the awareness of IT managers. But possibly I am wrong here and it is not the task of IT at all. Obviously, the entire responsibility for corporate data, processes and capabilities is shifting away from IT to a digitization/data responsibility in the companies. Or, to put it another way, enterprise architecture is gaining in importance, even among SMBs, and is growing together with the CMDB. Only then will the CMDB take on a completely different meaning - the heart of the IT-supported processes - in other words, all of them!

要查看或添加评论,请登录

Martin Pscheidl的更多文章

社区洞察

其他会员也浏览了