To deliver the best possible solution, Instinctive BI embraced examples from other industries to engage with and demonstrate thought leadership, not just in privacy management, but also ethics. Its solution delivered a comprehensive set of core assets and re-engineered key processes to minimise and control the capture, use and storage of personally identifiable information (PII). To ensure the programme delivered to the highest standard, it worked with privacy and data architecture experts across the UK and North America.
To implement de-identification techniques, the Instinctive BI team built a scalable and system-agnostic solution for measuring and treating PII disclosure risk. Statistical disclosure models were also developed to assess the trade-off between re-identification risk and the usefulness of data with increased anonymisation.
The team also developed a detection algorithm to identify PII copied across several cloud-based platforms. Blending decisioning and pattern-based matching, this reported data outside of management governance, helping the client to exercise more robust controls over the use of PII.
To ensure privacy requirements were met for managing data across the platform, a privacy-centric metadata solution was delivered. This included centralising the metadata management and ownership accountabilities, with new workflows developed to ensure PII tagging, data design services and access controls were better aligned to the business needs.
A new PI standard was implemented that widened the definition of identifiable data and introduced a requirement to consider identifiability when handling data subject information.
Recognising gaps in the client’s Right of Access and Right to Erasure processes, Instinctive BI introduced enhancements that reduced complexity, improved data validation and better aligned these to legal requirements. These helped protect records management requirements and those of the Data Protection Officer.
Finally, to address legacy risk under GDPR around lawful basis and the retention of data, relevant parties were consulted to develop processes for identifying over-retained data. Now, data deletion instructions are delivered to third parties, reducing the risk of exposure.