On 19 June 2023, the Information Commissioner’s Office (ICO) has released new Guidance on Privacy-Enhancing Technologies (PETs) for Data Protection Compliance. This guidance is designed to assist data protection officers (DPOs) and individuals responsible for managing large-scale personal data sets across diverse sectors, including finance, healthcare and research.

Understanding PETs

PETs are software and hardware systems that can help minimize use of personal data use while maximizing information security.

The ICO guidance consists of two sections: Part I for Data Protection Officers that wish to implement PETs to assist with UK GDPR compliance, and Part II for technologists to provide an overview of eight essential PETs along with associated risks and benefits.

Key Insights and Recommendations

The ICO guidance emphasizes several critical findings on the advantages and considerations of PETs for data protection compliance, namely:

  • Demonstrating Data Protection: PETs can be a valuable tool to exhibit a ‘data protection by design and by default’ approach to processing of personal data. The ICO recommends considering the implementation of PETs at the design stage of a project, which echoes previous guidance on product design lifecycle which we covered in a prior blog. This approach aligns with the principles set out in Article 25, UK GDPR.
  • Data Minimization: PETs enable compliance with the principle of data minimization by allowing organizations to process only the necessary information for their specific purposes.
  • Security Measures: By implementing PETs, organizations can ensure an appropriate level of security for their data processing activities, safeguarding the confidentiality and integrity of personal information. This aligns with Article 32, UK GDPR, which requires the implementation of appropriate technical and organizational measures to protect personal data.
  • Sensitive Data Sharing: PETs provide a framework through which organizations can grant access to sensitive datasets that would otherwise be deemed too sensitive to share, while simultaneously protecting individuals’ privacy and personal data.
  • Lawful Processing: Most PETs involve processing personal information which still needs to be lawful, fair and transparent. The guidance provides a helpful table with examples where PETs can be advantageous for various processing types.
  • Risk Assessment: When conducting either a risk or data protection impact assessment (DPIA) determining the suitability of employing PETs can result in mitigation of certain risks.
  • Anonymization: It is crucial to recognize that not all PETs result in effective anonymization. Organizations can achieve anonymization without PETs and the ICO has published draft guidance on the topic.

Implementation of PETs

Organizations must be cautious when implementing PETs to achieve the desired benefits while balancing data protection, costs, and utility. Insufficient expertise in PET implementation can lead to errors and limited realization of their potential. The ICO recommends that organizations seek the assistance of knowledgeable experts or vendors.

Finally, effective utilization of PETs requires appropriate organizational measures. Neglecting such measures could undermine the intended protection provided by PETs.

Takeaways

By adhering to the ICO guidance, organizations can use PETs effectively whilst safeguarding individuals’ data protection rights. Organizations should consider acquiring the necessary expertise and implementing appropriate organizational measures to maximize the benefits of PETs since their deployment could enhance or contribute to data protection compliance.