One of the requirements for the new GDPR regulations that come into force in a few weeks’ time is that organisations will not be allowed to use production data for testing their IT systems: if there is anything personally identifiable in that data then the company will face very heavy fines.
There are a number of ways to manipulate the production data so that it can be used in testing, including anonymisation and look up tables, but Rabobank, a Netherlands-headquartered multinational bank, have decided to do it as robustly as possible, using some interesting new technology from IBM.
At the heart of the solution are encryption and pseudonymisation. IBM describe it as their “analytics software combined with cryptographic desensitization engine achieves pseudonymization by converting the data into individual hash-based token keys which are completely impermeable today and in the future.” I spoke to Peter Claassen, Delivery Manager for Radical Automation at Rabobank, to find out what that actually means in real life. He told me that, for testing purposes, personally identifiable data such as names are converted, in a one-way encrypted process, into pseudonyms. In Rabobank’s case, they actually used Latin flower names so that they looked almost realistic (which helps the developers even more). An even more important point concerned the use of IBAN numbers and Post Codes. As Chris Sciacca from IBM Research told me; “Using fake test data is particularly challenging when it comes to banking due to IBAN codes. You can’t just use random numbers, there needs to be utility to the data even if it’s not real, and that’s what pseudonyms provide”.
This report continues after the following message from HG Insights:
HG Insights – Sourcing Intelligence Redefined
HG Insights provides deep sourcing intelligence and diagnostic tools on and for the IT industry, analyzing the sector’s supply and purchasing activities to identify points of significant business value for enterprise companies and the vendors that serve them.
If you would like to get more insight into how Rabobank and IBM solved the GDPR test data problem, gain unique account-level intelligence on these organisations or identify opportunities across the wider IT market – Contact us now.
This all seems like a very sensible and robust approach from Rabobank. They are ensuring that they have watertight solutions to potentially tricky data privacy challenges that can carry heavy fines. In the future, the bank is looking to roll out the technology to other areas beyond the payments area, and IBM are continuing to develop the technology further so that the pseudonyms can be changed based on the use case, but remain cryptographically consistent for the users. This could be useful for other industry sectors such as government where an ID is needed to validate a citizen across various services, such as healthcare, taxes and driving licenses.
GDPR may seem like a burden to many in business right now, but it is certainly spurring on some interesting innovations.
About the author
Andrew Burgess has been the lead architect within several major change projects, including strategic development, IT transformation and outsourcing, in a wide range of industries across four continents. He has developed and implemented sourcing strategies for global organisations, running sourcing programs and helping re-organise IT departments to maximise their value from sourcing. Andrew was recently awarded ‘Automation Champion of the Year’ by the GSA, the industry association and professional body for the global sourcing industry. He is widely considered to be a leading expert in the growing Legal Transformation and Outsourcing market and has recently written ‘The Rise of Legal Services Outsourcing’ in collaboration with the London School of Economics (LSE). Andrew’s latest book, ‘The Executive Guide to Artificial Intelligence‘ has recently been published by Palgrave Macmillan. Andrew is a council member of the Global Sourcing Association and is Head of Consulting at HG Insights.