Rabobank is working with IBM to use cryptographic pseudonyms on its clients’ personal data to help comply with the EU’s new General Data Protection Regulation (GDPR).
As part of its efforts to comply with the new rule, Rabobank has teamed up with IBM to cryptographically transform terabytes of its most sensitive client data – including names, birthdates and account numbers – into a desensitised representation, meaning it looks and behaves like the real data, but is not.
Identifying fields within a data record are replaced by pseudonyms, i.e. replacing a real name with a fictitious one. In addition, for GDPR the data is also processed in such a way that it can no longer be attributed to a specific data subject without the use of additional information.
The partners have been working on the project for the last year, with multiple key applications and platforms already pseudonymised, including the current bank account and savings systems on mainframe, Linux, Tandem and Windows platforms. Ultimately, the project will pseudonymise all payments applications and expand into other functional areas within the bank.
Michael Osborne, cryptographer, IBM Research, says: “IBM analytics software combined with our cryptographic desensitisation engine achieves pseudonymisation by converting the data into individual hash-based token keys which are completely impermeable today and in the future, even from a fault-tolerant quantum computer many years from now.”
The move not only helps with GDPR compliance, says Rabobank, it also makes it easier for its so-called Radical Automation DevOps team to use the data for performance testing of new technologies and services, such as mobile apps and payment solutions.
Peter Claassen, delivery manager, radical automation, Rabobank, says: “Being able to test and iterate using pseudonymised data is going to unleash new innovations from our DevOps team bringing even more security, innovation and convenience to our clients.”