Rabobank desensitizes client data for GDPR and DevOps with tech giant IBM
Rabobank, the Dutch multi-national bank and financial services company, is working with IBM, the American multi-national technology company, to use cryptographic pseudonyms on its client's personal data in a bid to innovate and comply with new financial regulations in the EU.
In May 2018, the General Data Protection Regulation (GDPR) will come into force and seeks to create a harmonised data protection law framework across the EU and give citizens and residents back control of their personal data, whilst imposing strict rules on those hosting, moving and processing this data, anywhere in the world.
Rabobank is addressing GDPR compliance across a number of activities. In one project with IBM Services and IBM Research, the bank has cryptographically transformed terabytes of its most sensitive client data, including names, birthdates and account numbers, into a desensitised representation – meaning, it looks and behaves like the real data, but it is not.
Pseudonymisation enhances privacy by replacing most identifying fields within a data record by one or more artificial identifiers, or pseudonyms, i.e. replacing a real name with a fictitious one. In addition, for GDPR the data is also processed in such a way that it can no longer be attributed to a specific data subject without the use of additional information. For example, without pseudonymisation, knowing the date of birth and the home address can reveal the person's identity.
"IBM analytics software combined with our cryptographic desensitisation engine achieves pseudonymisation by converting the data into individual hash-based token keys which are completely impermeable today and in the future, even from a fault-tolerant quantum computer many years from now," said Michael Osborne, Cryptographer at IBM Research. "This research is now a commercial technology available to address multiple compliance legislations, cross industry, around the world."
Besides helping towards GDPR compliance having the data desensitized also makes it easier for Rabobank's Radical Automation DevOps team to use the data for performance testing for the development of new innovative technologies and services, such as mobile apps and payment solutions.
"It's critical for our DevOps team to use data which is as close as possible to production during the testing phase, so when we go live, we are confident that our services will perform," said Peter Claassen, Delivery Manager Radical Automation at Rabobank. "Being able to test and iterate using pseudonymised data is going to unleash new innovations from our DevOps team bringing even more security, innovation and convenience to our clients."
Rabobank and IBM Services have been running the project for the past year. Multiple key applications and platforms have been pseudonymised, including the current bank account and savings systems on mainframe, Linux, Tandem and Windows platforms.
Ultimately, the project will pseudonymise all payments applications and expand into other functional areas within the bank.
Photo credit: © 2015 Bloomberg Finance LP