The Problem and How We Solved It
Trust is crucial and consumers have today lost their trust in data-driven organizations due to their massive gathering of other people’s personal data. That is one of the reasons why privacy-friendly technologies are considered necessary to improve efficiency and sustainability in organizations and society, while at the same time securing our democracies.
Societies are becoming ever more reliant to gather and use more data to increase efficiency and improve sustainability. This is a fantastic opportunity, which at the same time increases the risks by challenging our human rights.
The dissonance between the digital society and privacy and the growing need to capture more and more data – including personal data – creates great risks of human rights violations. It was to protect our human rights that the EU created GDPR.
There is a need for a change in the disconnect between privacy and the data-driven society. And those who solve the issue of how we can create value and while at the same time maintaining integrity are the winners. The losers are those who do not collect data and those who do not care about privacy.
From this realization, the idea of Indivd was born. The Company was founded on the idea of privacy-friendly technologies, the notion that data collection will increase and that people care about their personal data. The starting point is that people want to have it all – great services, experiences, and privacy.
The definition of the problem was: How can we technically understand re-identification without processing biometric data and without storing personal data. And, since individual consent on a large-scale is next to impossible in the real-world: How can we create a privacy-friendly solution, one where organizations do not need individual consent, according to GDPR.
1. Understanding the market need
We conducted needs studies together with various organizations in the market to understand and validate their problems in a lack of knowledge. That they actually saw it as a problem, a need, and that their need was large enough for an alternative solution, which does not infringe on privacy.
2. Finding the solution
In parallel, we began the exploration and development of our unique solution. Research that lasted for more than 18 months. We knew that we had the opportunity to find a way that both met the market needs and ensured integrity. A solution that can help societies to grow, improve, become more efficient, and sustainable – and that it can do so without violating our integrity.
The development was completed with a technical validation of our solution that we considered being both anonymous and could understand re-identification. We created a solution, which we considered raised the overall privacy in society.
3. Documenting our solution
When the development was finished, we carefully documented how the solution technically works. We explained and argued, made a data map of how the data is processed, visualized our system architecture, philosophized about what anonymization is, and compared our solution with EU definitions, guidelines, and other various studies.
4. Analyzed the various existing anonymization methods
We conducted a comparative analysis of different anonymization methods since many organizations use the concept of anonymity as a marketing term, the EU believes that it is very complicated to build anonymous systems and to critically evaluate our solution. We asked ourselves; what are the various methods of anonymization, how do various organizations define anonymity, how do the EU define anonymity, are the other methods really anonymous, how different is our solution, how anonymous is our solution, and is our solution anonymous?
5. Adapted our organization to GDPR
We initiated a full-scale GDPR project for our organization. Adapted and educated ourselves. Created processes, routines, internal IT security policies, information security policies, anonymization policy, ethics policy, data processing agreements, secure development processes policy, etc. and documented everything online for everybody to read.
6. Conducted multiple Risk Analysis
Once we had satisfactory documentation, we used the best IT-security experts we could find and asked them to conduct a risk analysis. The result of the first risk analysis showed some issues. We went back to our development, solved the issues, and conducted another risk analysis which indicated that we had a good level of security.
7. Conducted a Data Protection Impact Assessment
We consulted with the best legal advisors we could find and conducted a data protection impact assessment together with them. We gave them all our information, showed them how it all works, answered all their questions, and gave them months to processes everything. The result was that they believed that we had a good argument for a lawful basis.
8. Asked other experts to challenge our beliefs
Since we are rational and understood the complexity of the solution and data regulations. We asked the best experts within IT-security, law, and data protection we could find and asked them to spare us some time to audit and challenge our documentation, our beliefs, and our solution. To find cracks, new perspectives and to tell us why this isn’t legal. Once we realized that our solutions actually could be legal, we proceeded to the final audit.
9. Applied for a Prior Consultation from the Data Protection Authority
We applied for a three months-long prior consultation by the Swedish Data Protection Authority.
In their final decision, the Swedish Data Protection Authority notes that Indivd’s processing of personal data complies with the Data Protection Regulation, provided that it is done in the manner stated and planned and that it does not enable the identification of individuals.
Continued work for compliance
An organization has no fixed contour. It is constantly in motion. Therefore, it is necessary to constantly keep the internal and external GDPR work up to date, highly conscious, and alive. Our road to compliance has taken us several years and we see it as our mission to continue living by our policies, ensuring that future updates and services never reduce our level of data protection.