Published on September 7 by the Information Commissioner’s Office (ICO), the Draft Guidance on privacy-enhancing technologies (PETs) help organisations put into practice the data protection by design and by default approach as well as the data minimisation principle.
PETs are defined by ICO as “technologies that embody fundamental data protection principles by minimising personal data use, maximising data security, and/or empowering individuals. The concept covers many different technologies and techniques.” In other words, PETs help organisations share and use individual’s data responsibly, lawfully, and securely.
As outlined in the Guidance, PETs can help companies comply with the data protection by design and by default required by data protection and privacy laws such as the General Data Protection Regulation (GDPR). More specifically PETs can facilitate compliance with the following regulatory requirements:
Provision of an appropriate level of security
Implementation of robust anonymisation or pseudonymisation solutions
Reduction of the risk related to data breaches, by rendering the personal data unintelligible to anyone not authorised to access it.
ICO specifies that PETs can prevent controllers from sharing personal data or processors to access these data when further analysis is required.
The Guidance further outlines that companies should not consider PETs ‘as a silver bullet’ to be compliant with their data protection requirements; but must take into account the risks related to the use of such technologies— lack of maturity, lack of expertise and mistakes in implementation.
The Guidance also provides some examples of PETs which include PETs that allow compliance with both the data minimisation and security principles.
This Guidance is a great tool for companies as it discusses PETs in detail and provides practical explanation on how companies can ensure their technical measures are designed in compliance with data protection laws.