Have you heard of PETs? Not the fluffy kind, but the privacy kind? In the world of privacy, PETs are Privacy Enhancing Technologies (PETs).
The ICO issued guidance in 2023 in relation to these technologies, which is aimed in part at DPOs and individuals with responsibility for personal data protection in larger organisations and in part for a more technical audience. It has also recently issued a report looking at tackling barriers to their adoption.
PETs are not a defined concept under data protection law, but the European Union Agency for Cybersecurity, refers to them as:
“Software and hardware solutions, i.e., systems encompassing technical processes, methods or knowledge to achieve specific privacy or data protection functionality or to protect against risks of privacy of an individual or a group of natural persons.”
The examples given in the guidance include (amongst others) methods of encryption, synthetic data (which can replicate patterns and statistical properties in underlying real data), federated learning (a technique for creating a more accurate global AI model by using several component models which do not share training data) and many more.
The ICO is keen to state that they are not a “silver bullet” to meet all data protection requirements, you still need to ensure processing is lawful, fair and transparent but PETs may help you to demonstrate that you are taking a privacy by design and default approach, using these technologies to address issues such as data minimisation, security, anonymisation and pseudonymisation and reducing the risk of data breaches.
The ICO states that before you consider using a PET (in the design phase of your project), you should:
- assess the impact of your processing;
- be clear about your purpose;
- understand and document how PETs can help you to comply with the data protection principles; and
- understand and address the issues PETs may pose to complying with the data protection principles (e.g., issues with accuracy and accountability)
The use of PETs is, however, not without risk. The ICO guidance cites lack of maturity of products, lack of expertise in implementing and using them, mistakes in implementation and the risk of undermining the PET with a lack of supporting organisational measures, which are needed for them to operate effectively.
The guidance contains an overview of different types of PET, as well as a list of processing activities and the types of PETs which may help you with compliance when engaging in these activities. The ICO states that if considering the use of PETs to address privacy risks you should do a DPIA.
The ICO has recognised that there has been a low uptake of PETs and in February 2024 held a workshop on the subject to get views on the issues faced and to identify actions and recommendations to overcome the barriers to adoption, which included the following recommendations for the ICO:
- integrating PETs guidance into other guidance products, eg to reduce risks to people in AI use cases;
- publishing further case studies to demonstrate best practice for potential adopters;
- contributing to the development of standards and accreditations for PETs with relevant stakeholders; and
- clarifying when PETs can provide effective anonymisation and pseudonymisation.
The report also details recommendations for other stakeholders.
The guidance can be found here and the report on the outcomes of the workshop with links to case studies (issued last month) can be found here. There is also an upcoming ICO webinar on 25 September for those interested.