GDPR - Part 1
A Technical Perspective

GDPR - Part 1

Part one: Data segregation, suppression, anonymisation and pseudonymisation

Businesses, large and small, handles data in one way or another. The only difference is the scale, type and sensitivity of that data. With the GDPR in effect, how does this impact IT professionals and how they provide their services internally as well as to external clients?

Data Segregation / Suppression

Every individual has data with varying sensitivity and therefore requires different means of storage and handling. Depending on the different roles within your organisation you may want to segregate data by what people need access to, for example:

'Company A' handles orders for widgets that are delivered by a third party. 'Company A' has a sales team, warehouse team and an accounts team. When deciding what data each role requires 'Company A' matches the type of data with the appropriate role:

Data Type Sales Warehouse Accounts
Name X X X
Address X X
Telephone X X
Card Details X

Using the above 'Company A' can segregate the data appropriately as defined by their roles.

Data suppression takes the above slightly further, by removing a column of data which the user does not need. Using 'Company A' again, we take our example further.

The sales team has access to a customer's sales history and will make recommendation based on the type of product they had

Customer Id Item Category Description Quantity Price per item Total
100 Widget Box Widget Box of widgets 10 £20.00 £200.00
100 Fixings Widget Fixings for widgets 1 £15.00 £15.00

With reference to the above, all that the sales team needs are the customer ID and the category, so the other columns can be removed (not just hidden) and the data can then be supressed based on the role.

Data Anonymisation / Pseudonymisation

Pseudonymisation takes data and replaces it with a foreign key, code or reference so that the individual cannot be identified. In the previous section when we supressed 'Company A' customer orders data, you can see above that we replaced the customer's personal data with an ID. Without the corresponding table we cannot identify this individual. This can be extended to any data you hold and is done in relational databases.

Anonymisation is the process of encrypting or removing personally identifiable data and therefore the data subject is anonymous.

We can see examples of the above by using our 'Company A' example:

'Company A' is going to ask a third party to analyse their sales data to see various trends to plan further marketing strategies. By sharing the entire dataset, individuals can be vulnerable to data protection issues. However, by anonymising the data where personally identifiable data is replaced with some thing more general or by an external identifier, the data can still be used but not to identify an individual.

Name Email Postcode Item Cost IP Address Telephone Date of Birth
John Smith johnsmith@fakecompany.net S9 1BY Widget £100.00 10.0.0.0 0114 244 44 61 12/01/1970

Table A: Before anonymisation

Name Postcode Item Cost IP Location Tel. Location Date of Birth
100 S9 Widget £100.00 UK Sheffield 1970
Swapped for ID (which points to email address that has been supressed Only the outcode is retained Not personal data Not personal data IP swapped for general location of IP address Telephone number has been swapped for city Only the year is retained

Table B: After anonymisation

Conclusion

With the above you can implement safeguards to protect the data if there is a breach, but the main aim is to prevent breaches altogether. In the next part we will look at simple ways of preventing and minimising breaches.

If you have any questions about GDPR itself and how it effects your business, please call EL Direct on 0114 241 7092 or email info@eldirect.co.uk and speak to one of our experts.

EL Direct

I don't have Microsoft Office or Microsoft Word, what should I do?

If you don't have Microsoft Office, or Microsoft Word installed on your PC or Mac, don't worry - you can still use our products. You can get a free alternative from Open Office.

Open Office Org is open-source developed alternative to Microsoft Office, developed by a large software company called Oracle. Open Source means the company who build the software, allow 100% use of it, 100% free.

Since Open Office is specifically developed to be exactly the same as Microsoft Office, with all the same programs in the suite (Eg: Word, Excel, Access and Power Point) - it will freely open any Microsoft Office file-format. Meaning, just because a document was written in Microsoft Word, doesn't mean it can't be opened in another program. Open Office will do that, and vise versa.

To download and install Open Office;

  1. Go to www.openoffice.org.
  2. On the left hand side, click 'I want to download Open Office'. In the green box, click the main link which starts with 'Start downloading OpenOffice.org...'
    • Windows Only:When the program has downloaded, click Install and wait for the program to install.
    • MAC OSX Only:When the program has downloaded, a notification box will pop up with an arrow from the Open Office Icon to the Applications Folder in Finder, drag the icon to the Applications folder to install the program.
  3. You are now ready to use Open Office, and the documents you have purchased from us.