Rabobank, a Dutch multi-national bank and financial services company, is working with IBM to use cryptographic pseudonyms on its client’s personal data to innovate and comply with the EU's General Data Protection Regulation.

Beginning May 25, the GDPR seeks to create a harmonized data protection law framework across the EU and it aims to give citizens back control of their personal data, while imposing strict rules on those hosting, moving, and 'processing' this data, anywhere in the world. Rabobank is addressing GDPR compliance across a number of activities.

In one project with IBM Services and IBM Research, the bank has cryptographically transformed terabytes of its most sensitive client data, including names, birth dates and account numbers, into a desensitized representation—meaning, it looks and behaves like the real data, but it’s not. Pseudonymization enhances privacy by replacing most identifying fields within a data record by one or more artificial identifiers, or pseudonyms (i.e. replacing a real name with a fictitious one). In addition, for GDPR the data is also processed in such a way that it can no longer be attributed to a specific data subject without the use of additional information. Without pseudonymization knowing the date of birth, and the home address can reveal the person’s identity.

“IBM analytics software, combined with our cryptographic desensitization engine, achieves pseudonymization by converting the data into individual hash-based token keys which are completely impermeable today and in the future, even from a fault-tolerant quantum computer many years from now,” said Michael Osborne, cryptographer, IBM Research. “This research is now a commercial technology available to address multiple compliance legislation, cross-industry, around the world.” Besides GDPR compliance purposes, having the data desensitized also makes it easier for Rabobank’s Radical Automation DevOps team to use the data for performance testing for the development of new innovative technologies and services, such as mobile apps and payment solutions, he said.

“It’s critical for our DevOps team to use data which is as close as possible to production during the testing phase, so when we go live, we are confident that our services will perform,” said Peter Claassen, Delivery Manager Radical Automation, Rabobank. “Being able to test and iterate using pseudonymized data is going to unleash new innovations from our DevOps team bringing even more security, innovation and convenience to our clients.”

Rabobank and IBM Services have been running the project for the past year. Multiple key applications and platforms have been pseudonymized, including the current bank account and savings systems on mainframe, Linux, Tandem and Windows platforms. Ultimately, the project will pseudonymize all payments applications and expand into other functional areas within the bank.