With the EU’s General Data Protection Regulation—one of the world’s most stringent data privacy laws—taking effect in less than a week, companies are coming up with some highly creative ways to ensure they’re GDPR compliant.

Take Dutch multinational banking and financial services firm Rabobank as an example. It has come up with a unique—and even fun—way to comply with the GDPR by using the Latin names of flowers and animals to anonymize its clients’ personally identifiable information.

The general idea is that through desensitizing data, Rabobank’s DevOps team can more easily use the data for performance testing new and innovative technologies and services, such as mobile apps and payment solutions, while still remaining GDPR compliant.

Compliance Week caught up with Peter Claassen, delivery manager radical automation at Rabobank, to hear more about how the bank is working in collaboration with IBM to use cryptographic pseudonyms to satisfy GDPR requirements.

When did Rabobank internally begin to consider the idea of using cryptographic pseudonyms on its clients’ personal data, and what role did the GDPR play in making the business case for this decision? 

The initial driver to mask production data was to use this masked data for improving and taking the next steps in test automation within the Rabobank payments domain. There were multiple options to do this, but when GDPR was announced, we knew we had to be careful in how we would do the masking of our sensitive client data. The masking needed to be done in such a way that is consistent and usable over multiple applications and compliant with GDPR. That is when the idea to pseudonymize the data came into scope.

What is pseudonymization, and how is it helping Rabobank with GDPR compliance?

The technology works by creating replicas of production data that are significantly less sensitive than the original data, but that still maintain all the desired characteristics needed for further use. Put simply, the data maintains its utility, while also being privacy friendly.

Being Dutch, we had a little fun by replacing the sensitive names of our clients with the Latin words for flowers. For example, the name Willem Degreff at the address Kerklaan became Papaver Orientale (Latin for Poppy Seed) at the address Ursus (Latin for bear), which has no correlation at all, thus, maintaining the client’s privacy.

“Pseudominization is specialized work that’s done by a separate team. Make clear what you expect from each other, and plan together what needs to be done and when; lead time can become too long if these controls are not in place.”
Peter Claassen, Delivery Manager Radical Automation, Rabobank

GDPR imposes strict rules on anyone hosting, moving, and processing private data anywhere in the world, but with pseudonymization this challenge is solved, because we can take this data and now give it to our Radical Automation DevOps team, maintain compliance, yet still use the data for our testing purposes.

How long has Rabobank been working on this project with IBM? 

Rabobank and IBM Services have been running the project for the past two years.

What software solutions does Rabobank use, and how does it work in practice?

The specific IBM technology is called the High Assurance Data Desensitisation Engine. It was developed by IBM scientists in Zurich. We then worked with IBM Services on the implementation.

We deployed it on premise servers and cryptographically transformed terabytes of Rabobank’s most sensitive client data—including names, birthdates, and account numbers—into desensitized form. Multiple key applications and platforms have been pseudonymized, including the current bank account and savings systems on mainframe, Linux, Tandem, and Windows platforms.

What additional payment applications and functional areas does Rabobank intend to pseudonymize moving forward?

Ultimately, the project will pseudonymize all payments applications and expand into other functional areas within the bank.

What other business functions have been collaborating with the DevOps team to achieve GDPR compliance? 

There are collaborations within the infrastructure department and the Rabobank risk department. The risk department, especially, is involved heavily to make sure the way we work is in line with Rabobank’s risk policy. Also, they are the independent party that can validate and control the results of our project.

Tell me more about that. In what specific ways does the risk department help Rabobank’s DevOps team?

Production data may not be seen by everybody. Also, among the teams that facilitate and maintain a production application, there are rules on who can see what data. Since we are going to pseudonymize the data, we need access to it. That needs to be done in a controlled way for everyone involved—from the application owner to the business owner.

Certain considerations like rules (what attributes and fields need to be pseudonymized, and how); the level of access to the data; guidelines on how to deal with the data in our team (including infrastructure and tools); technical agreements (how long it may be in our databases, for example); and functional agreements (how will we monitor who has access, for example) all needed to be determined.

Previously, we had no setup for this kind of use of production data. Also, we needed to set up a process to get approvals to use the data to be pseudonymized by the data owner. After the data was pseudonymized, we needed to be sure nothing slipped through the cracks, and so we needed to set up an independent process to validate that it had been done correctly.

In all these activities, our risk department had a very important role.

What challenges has Rabobank encountered along the way with this project, and how is Rabobank overcoming these challenges?

There are technical challenges: What is the best solution both for performance and functionality? Rabobank is working together with IBM to find solutions for these challenges. Not every application is the same, so for each application that comes into scope, we needed to work together with the specialist of that application to solve issues where they occurred—both technical and/or functional challenges. Cooperation between teams and alignment of timelines is essential.

How does using pseudonymized data serve as a competitive advantage, in addition to helping with GDPR compliance?

Data privacy is something that is top-of-mind for our clients, so I would think that if they know that we are taking this level of care with their data, they will also feel more confident in banking with Rabobank —and that’s a competitive edge.

In addition to using cryptographic pseudonyms, in what other ways is Rabobank addressing GDPR compliance?

GDPR covers a broad range of measures to protect the privacy of our customers. As a bank, Rabobank was already very keen on protecting data, since trust is one of the main assets of the bank. We have all kinds of procedures and controls in place to ensure the protection of data (e.g, access control-based or need-to-know encryption of transaction data during transport, processing, and storage, sound archiving procedures, screening of staff, and awareness training). To comply with the data portability rules, Rabobank set up new procedures to provide personal data to the customer on-demand.

For other multinational companies that would like to begin the process of pseudonymizing their data to be GDPR compliant but don’t know where to begin, what advice would you offer?

Start with a high-level, technical approach. You cannot define everything in detail, and things will become clearer once working with the solution.

Make sure risk and compliance are aligned. You are working with production data, and you don’t want to make mistakes there. Pseudominization is specialized work that’s done by a separate team. Make clear what you expect from each other, and plan together what needs to be done and when; lead time can become too long if these controls are not in place.