Summary: The ICO is the UK’s privacy regulator. Their recent guidance goes far beyond clarifying requirements and actively recommends the adoption of advanced privacy enhancing technologies (PETs) when using, sharing, or collaborating on people’s personal information. Why? Because these technologies make working with sensitive data easy and more productive.
Whether or not you’re under the jurisdiction of GDPR (UK), there’s something significantly different and important about the ICOs PETs Guidance. It shows a path to growth and innovation by leading with security, privacy, and governance. When regulations and rulings change, the audible groan from those in charge of implementing them is understandable. Such changes mean work – a lot of work. Regulations are ultimately good as they aim to protect people’s privacy and business revenue. Unfortunately, they usually conflict head-on with means of business growth and innovation. In this case, we see the path to greater growth directly through innovative privacy and security technologies.
The ICO’s PETs Guide provides case studies in which a new class of technology, privacy enhancing technologies (PETs), can satisfy the UK GDPR’s privacy requirements. Duality’s platform happens to be one of the platforms in their case studies due to its innovative use of PETs to unlock global data collaboration. These studies show the world how these technologies maintain security, privacy, and governance of data more easily, and how they streamline efforts to use protected data. With this guidance, organizations can finally unlock valuable data sources that were previously locked behind security and privacy requirements.
Let’s start by acknowledging what we all know: data quality and volume are critical to the success of any data strategy.
This new collaboration opens a wide range of benefits, from eliminating risk from data analytics as a service arrangements to simplifying and accelerating secure investigations to the creation of collaborative hubs to improve KYC, fighting financial fraud and AML, to accelerating breakthroughs in medical research, and generally securing and scaling data pipelines. By satisfying compliance by default, the platform allows teams to spend less time searching for data and more time getting answers and generating insights.
Rather than reviewing and approving each and every data use arrangement, we approve the platform once for all future engagements. Unlocking data collaboration from privacy, security, and governance hurdles is a force multiplier for any data strategy, and the ICO just took the lead in showing the world how to do just that. Regardless of jurisdiction, those applying this technology now will find their data ops well-positioned to take advantage of today’s big, data-heavy technology trends: generative AI, LLM, and ML development.
Every heist movie has someone watching the clock because they know what triggers an incident response, how long that takes, and what that response looks like. This is because criminals generally know the good guys’ capabilities, which is true in real life. Financial criminals bounce from bank to bank because they know that the collaboration among banks is quite minimal and very slow when it does occur.
There are many points of blame when criticizing the lackluster results of investments in financial crime-fighting, but the big hurdle is simply the lack of a technical option to secure data in use. When that data is sensitive, like in banking, there are restrictions, documentation requirements, approval processes, legal contracts, reviews, etc., and it just takes a lot of effort to do simple things.
Imagine the difference ‘know your customer’ (KYC) will make if a bank can query a network of financial institutions with something as basic as, “Has this (data subject–encrypted) been caught committing a financial crime?” The querying bank gets an answer immediately without visibility to personal information or banking relationships and can quickly move on to the next steps. KYC becomes a far more efficient process wherein collaboration efforts are front-loaded, with each query and interaction thereafter being self-service.
The healthcare ecosystem is vast and complex. The primary path to better treatments and insights requires generating Real World Evidence (RWE), which relies upon Real World Data (RWD) analyses. The struggle is that RWD is held by many clinical healthcare organizations – the ones we interact with as patients – and as the name implies, it comprises sensitive clinical and personal information. As a result, RWD custodians have strict and complicated data handling and sharing requirements, which can be distracting from their primary focus, saving the lives of active patient cases. The complexity and risk in handling protected health information (PHI) mean that it’s hard to find RWD to begin with, and once found, takes a long time to finally get to the point of using it.
As shown in a case study with Tel Aviv Sourasky Medical Center (TASMC), they were able to use Duality’s platform to reduce the risk and complexity for both the RWD custodians and the RWE teams.
Another common use case is data analytics (or data science) as a service. This use case involves at least two parties: the data custodian and the service provider. In the current state, both sides will take on significant data risk during this engagement and largely rely upon data use agreements to acknowledge the risk and assign liabilities. Commonly used deidentification processes and techniques will detriment time-to-value, OpEx costs (ROI), as well as data quality. With a PETs-enabled solution, service providers can differentiate themselves from the mix by offering a truly zero-trust analytics service. Frankly, we’re talking about zero-access data analytics as a functional description rather than a framework approaching an ideal situation.
Data governance is data quality. That’s the difference between technology and solutions. Duality has built in a collaboration and governance layer on top of both the foundational security/privacy technologies as well as a robust computation layer. This provides each data custodian governance controls and visibility as to which queries and computations are permitted to run and can even be set for per-run approvals (usually done in PoC but removed during production, given the proof of zero data access).
Finance and healthcare organizations seem to be clamoring for such solutions, which makes sense. These are organizations with high-impact goals surrounding highly sensitive data. But in a world wherein data is critical to how we operate and make decisions, there are very few instances wherein this would not be useful. Whether simply a risk reduction play or the answer to your data source woes, there’s no wonder regulators made such an unprecedented recommendation.