Rabobank enlists IBM to desensitise client data for GDPR

Rabobank is working with IBM to use cryptographic pseudonyms on its clients' personal data to help comply with the EU's new General Data Protection Regulation (GDPR).

  36 1 comment

Rabobank enlists IBM to desensitise client data for GDPR

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

Coming into effect at the end of May, GDPR will create a harmonised data protection law framework across the EU with the aim of giving citizens back control of their personal data, whilst imposing strict rules on those hosting, moving and processing it.

As part of its efforts to comply with the new rule, Rabobank has teamed up with IBM to cryptographically transform terabytes of its most sensitive client data - including names, birthdates and account numbers - into a desensitised representation, meaning it looks and behaves like the real data, but is not.

Identifying fields within a data record are replaced by pseudonyms, i.e. replacing a real name with a fictitious one. In addition, for GDPR the data is also processed in such a way that it can no longer be attributed to a specific data subject without the use of additional information.

The partners have been working on the project for the last year, with multiple key applications and platforms already pseudonymised, including the current bank account and savings systems on mainframe, Linux, Tandem and Windows platforms. Ultimately, the project will pseudonymise all payments applications and expand into other functional areas within the bank.

Michael Osborne, cryptographer, IBM Research, says: "IBM analytics software combined with our cryptographic desensitisation engine achieves pseudonymisation by converting the data into individual hash-based token keys which are completely impermeable today and in the future, even from a fault-tolerant quantum computer many years from now."

The move not only helps with GDPR compliance, says Rabobank, it also makes it easier for its so-called Radical Automation DevOps team to use the data for performance testing of new technologies and services, such as mobile apps and payment solutions.

Peter Claassen, delivery manager, radical automation, Rabobank, says: "Being able to test and iterate using pseudonymised data is going to unleash new innovations from our DevOps team bringing even more security, innovation and convenience to our clients."

Sponsored [Upcoming Webinar] Next Gen Payment Processing: How banks can embrace the future

Comments: (1)

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

I recently learned that it's possible to de-anonymize most anonymized datasets on consumer-grade laptops by using algorithms like the one from Narayanan and Shmatikov. A partial deanonymization of 1.1B anonymized taxi rides in NYC can be found at https://tech.vijayp.ca/of-taxis-and-rainbows-f6bc289679a1. I hope IBM's "cryptographic desensitisation engine" will produce pseudonymous data that is impervious to these de-anonymization techniques.

[Webinar] Operational Resilience in the age of DORAFinextra Promoted[Webinar] Operational Resilience in the age of DORA