Protegrity recently announced its latest solution for cross-border data flows, the Protegrity Borderless Data Solution. The solution is designed to make it easier for organisations to share data while still meeting the requirements of data privacy and data sovereignty. Sharing data, cross-border is not just about eCommerce or other commercial activities. It is a necessity for health insurers, law enforcement and even governments.
To find out more about cross-border data and what Protegrity is doing, Enterprise Times spoke with Alasdair Anderson, Vice President at Protegrity. We began by asking who are the biggest users of cross-border data.
Anderson replied, “We do most of our work in financial services. Our customers are the systemically important banks. We protect around 40% of the UK mortgage market. With the cross-border solution, we are providing a capability that maps to a solution that people can recognise and use.”
But mapping and sharing data raises questions over how that data is protected. Encryption is one solution, but data still needs to be anonymised beyond that, as encryption isn’t absolute. Data can be decrypted, which puts data at risk. What Protegrity does is anonymise and encrypt that data so that it can be easily shared.
Matching data with compliance requirements
One of the challenges for cross-border data is matching data protection to different compliance requirements. In Europe, the standard has been the GDPR. In fact, it set a base that has been used by numerous regulators around the world to define data protection of personal data. But not all legislation aligns perfectly. For example, in the UK, the plans outlined by the current Information Commissioner will see the UK diverge from the GDPR.
The UK Government says this will give UK companies more flexibility, but that raises questions over data equivalency rules and data protection. It is an area where Anderson says Protegrity is already talking to clients. He said, “that’s probably going to help UK businesses with certain qualifications that GDPR doesn’t do so well on. The reality is that European Union is still going to have GDPR. Therefore, you have a legal border that your information has to cross.
“Our solution is all about how can we remove any sensitive information so that data can travel with the minimum of friction and without any friction whatsoever. That’s the end goal of our solution, to lower data exchange between entities across borders.”
The data equivalency challenge
The UK’s move is causing concern among a lot of business. Anderson said, “the way we frame this is that our solution is what we see as a landing place for a lot of the governance and even legal compliance discussions.” Anderson has a lot of experience in how complex this could be, having worked at a major bank involved in a drug scandal. Data had to be retrieved from more than 80 different jurisdictions.
The solution was to appoint a general counsel at the board level. It is something that a lot of companies need to consider. The growth of Chief Data Officer and equivalent roles has been significant over the past few years. However, how many of those same companies have considered ensuring they have the general counsel involved at the board level?
Anderson also believes that the question of data equivalence makes the environment more complex. He said, “Our solution is not a data governance solution. We are a partner of the people who do that work. We help people work out what is an adequate protection within that framework.”
The dangers of multiple layers of control
What is interesting here is that the borders are far more complex than they might seem. At one level, the GDPR was designed to make it possible for companies inside Europe to share data more easily. However, legal entities are also borders as is data sovereignty. Both add more complex layers.
Anderson gave an example of how complex it can get from a legal entity position. “In Germany, we have an insurance customer who has health insurance. They also have a product set where they allow people to use their good behaviours to get rewarded in the ways of, if you buy an Apple watch through us and go to the gym three times a week, we’ll lower your premium.
“Turns out that the guys that sell the Apple Watch, and the guys that are selling health insurance can’t exchange their information easily. Therefore, when a large customer says, “Well, how many of my people have actually got healthier this year?” They don’t know.”
It is not just examples like this that Anderson talked about. He also pointed out that companies moving data to the cloud need to think carefully about the data, the cloud locations, the layers of compliance control.
Anonymisation and pseudo anonymisation
One of the key data protection mechanisms has always been anonymisation. However, true anonymisation is hard. It doesn’t take a lot of information to unpick a lot of anonymisation schemas. There are also challenges with encryption. In most environments, there is a huge amount of processing power wasted encrypting and decrypting data on the fly in order that it can be viewed and queried. While there are other solutions, such as fully homomorphic encryption, they are only slowly appearing.
Anderson commented, “we are not a homomorphic solution. That’s not the approach we take. We are a tokenisation solution. As well as length preserving and format preserving will also preserve referential integrity. When you take first name Alasdair and second name Anderson and tokenize it, not only is that secure, but it still retains its analytical value.
“For use cases like AML and KYC, you’re looking to see is Alasdair Anderson actually a group of 20 people acting as an agent, or are the 20, Alasdair Anderson’s all working under the umbrella of another entity. That is an analytical challenge. You’re looking at network analysis. I haven’t seen anyone who does it as well as us. You can take that token, and you can deploy it to be in any analytics cloud you want.
“Where we would see ourselves in the privacy space, is differential privacy. The tokenization combined with our gateway, allows you to have a differential view of the data. In my experience, the financial claim analysts are not entitled to see the data. When I worked in Denmark, every red flag, every suspicious activity report went straight to the cops. It meant that chain of custody of the data was preserved.”
How do you explain cross-border to new customers?
For very large organisations with structured data schemas, standing-up software is not hard. However, for many, they might not understand how to get started. We asked Anderson how Protegrity onboards new customers.
He replied, “Standing up our software is pretty easy, you’re talking a couple of days. The key is adopting the software. For us it is all about identifying the reasonable business use case and reasonable business value. With the use case we look to identify the key data and then roll it out incrementally so it doesn’t disrupt the business.
“If people are used to seeing data in the clear and that goes away, that will be a disruptive. But typically, customers know that is a risk that they are carrying and they want to get rid of. Its identification of those risks, identification of those business processes, and then writing the most clear-cut policy. The KISS principle of, ‘well, if it’s cross border, and we want to do the whole world, that’s great’.
“Pick your two countries where we can do this in a non-destructive way, prove out the enablement of the staff that are affected by that, and make sure we can do this in as clear a way as possible. That gives us the cookie cutter, rinse and repeat.”
Enterprise Times: What does this mean
Whether governments like it or not, organisations need to move data cross-border. What is making it hard is the constant tinkering with legislation from data privacy to data sovereignty and beyond. The complexity of the way data flows does not help companies and creates a problem for SMEs when it comes to international expansion and data sharing agreements with partners.
For now, Protegrity is offering a solution that can be adopted by companies moving into this space. It will be interesting to see how much adoption it gets outside of the very large companies.
