Top tips on PETs – what they are and things to consider when using them

The ICO has issued new guidance on Privacy Enhancing Technologies (PETs). The guidance is split into two parts, the first being aimed at those with responsibility for data protection within an organisation and the second for a more technical audience.

PETs are not a defined concept under data protection law, but the European Union Agency for Cybersecurity, refers to them as:

“Software and hardware solutions, i.e., systems encompassing technical processes, methods or knowledge to achieve specific privacy or data protection functionality or to protect against risks of privacy of an individual or a group of natural persons.”

The examples given in the guidance include methods of encryption, synthetic data (which can replicate patterns in underlying real data), federated learning (a technique for creating a more accurate global AI model by using several component models which do not share data) and many more.

The ICO is keen to state that they are not a “silver bullet”, but PETs may help you to demonstrate that you are taking a privacy by design and default approach.

The ICO also states that before you consider using a PET, you should:

  • assess the impact of your processing;
  • be clear about your purpose;
  • understand and document how PETs can help you to comply with the data protection principles; and
  • understand and address the issues PETs may pose to complying with the data protection principles (e.g., issues with accuracy and accountability).

The use of PETs is, however, not without risk. The ICO cites lack of maturity of products, lack of expertise in implementing them, mistakes in implementation and the risk of undermining the PET with a lack of supporting organisational measures, which are needed for them to operate effectively.

The guidance contains an overview of the different types of PET, as well as a list of processing activities and the types of PETs which may help you to be compliant when engaging in these activities. A DPIA will be necessary if considering PETs.

Things are moving fast in the tech world. As data protection professionals, it is important for us to keep up to date with new technologies and really understand how they work, in order to then be able to advise on whether they will help or hinder compliance.

The guidance can be found here.


Don't just take our word for it