Rabobank desensitizes client data during testing phase with IBM

Rabobank is working with IBM to use cryptographic pseudonyms on its client’s personal data to innovate and comply with new financial regulations in the EU. Desensitized data makes it easier for Rabobank to use the data for performance testing for the development of new innovative technologies and services, such as mobile apps and payment solutions.

Starting on 25 May, the General Data Protection Regulation (GDPR) seeks to create a harmonized data protection law framework across the EU and it aims to give citizens back control of their personal data, whilst imposing strict rules on those hosting, moving and ‘processing’ this data, anywhere in the world.

Rabobank is addressing GDPR compliance across a number of activities. In one project with IBM the bank has cryptographically transformed terabytes of its most sensitive client data, including names, birthdates and account numbers, into a desensitized representation – meaning, it looks and behaves like the real data, but it’s not.

“It’s critical for Rabobank to use data which is as close as possible to production during the testing phase, so when we go live, we are confident that our services will perform,” said Peter Claassen, Delivery Manager Radical Automation, Rabobank. “Being able to test and iterate using pseudonymized data is going to unleash new innovations from our team bringing even more security, innovation and convenience to our clients.”

Pseudonymization enhances privacy by replacing most identifying fields within a data record by one or more artificial identifiers, or pseudonyms, i.e. replacing a real name with a fictitious one. In addition, for GDPR the data is also processed in such a way that it can no longer be attributed to a specific data subject without the use of additional information. For example, without pseudonymization knowing the date of birth, and the home address can reveal the person’s identity.

“IBM analytics software combined with our cryptographic desensitization engine achieves pseudonymization by converting the data into individual hash-based token keys which are completely impermeable today and in the future, even from a fault-tolerant quantum computer many years from now,” said Michael Osborne, cryptographer, IBM Research. “This research is now a commercial technology available to address multiple compliance legislations, cross industry, around the world.”

Rabobank and IBM Services have been running the project for the past year. Multiple key applications and platforms have been pseudonymized, including the current bank account and savings systems on mainframe, Linux, Tandem and Windows platforms.

This post was originally published on RiskTech Forum’s website