What are the risks of working with non-anonymized data?

by Romain Alberca

The 21st century is definitely the century of data. Its value is no longer in question. It’s also called the new black gold. And it's a fact, every company is trying to make the most of it. 

This is why institutions are setting up highly secure production environments to protect it. But data is also used outside these environments (for archiving, training of new employees, business intelligence for marketing departments, software development or even for subcontractors), exposing it to multiple risks. 

The first risk is of course the leakage of confidential data which, as this article explains, is the main threat in the field of cybersecurity. 

Faced with these challenges, data anonymization remains the most effective protection, transforming the data in an irreversible way, while preserving its consistency and usability. 

But some companies may be sometimes tempted to approach data protection through risk management, by assessing and prioritizing it. 

The assumed risk concerning the protection of personal and identifying data is clearly not an option as the consequences in terms of image, loss of business but also and above all in terms of financial penalties are important since the implementation of the GDPR. 

The same is true for risk mitigation. Reducing the potentiality would mean no longer using data outside the production environment, and this is impossible today if we want to maintain a competitive advantage. 

This leaves the option of delegating the risk, which would consist of entrusting the protection of one's data to a service provider. This option is no longer possible since the advent of the GDPR. Indeed, if a data leak were to occur at the service provider, the regulation stipulates that the responsibility of the leakage would be shared between the customer and the service provider. 

Besides, service providers are no longer ready to accept this risk management, which is non-compliant and extremely risky, both from a financial point of view and in terms of image loss.  

They are therefore now imposing the anonymization of the data entrusted to them. In this case, we no longer speak of delegation but of risk cancellation. 

Beyond the risks of consequent financial losses and loss of image, the choice made by a company not to protect its data can strongly impact its development. 

Let's take the example of a company that wants to open its capital to potential future investors. The latter will certainly want to carry out an acquisition audit beforehand, which will concern various aspects of the company, and in particular the analysis of the IS. In this case, non-compliance with the protection of personal data will undoubtedly prove to be a penalizing element. 

The same is true when a company wants to obtain an ISO (International Organization for Standardization) type certification, and especially the 27000 standards, related to information security. Indeed, since 2022, the standard has been deepened with many concepts from the GDPR, including data protection via anonymization. 

Even more impactful, non-compliance can have significant business repercussions. 

When customers begin a data protection compliance process, they audit their suppliers to see if they are also compliant. If they are not, they will turn to other providers. In this case, the impact on the business, even on long-time customers, can be significant. 

Non-compliance may also result in loss of business in the case of a tender. In the context of a public contract, the contracting authority will have to ensure that the subcontractor complies with data protection regulations. If not, the contracting authority will choose a more virtuous subcontractor. 

Compliance risks are also regularly underestimated. 

Every organization needs to be able to handle a request for the right to be forgotten, whether it comes from an employee, a prospect or even a customer. According to one of our recent surveys, 28% of respondents have already asked a company to apply their right to be forgotten, or right to erasure. 

If an organization is unable to respond positively to these requests, the applicant may refer the matter to the data protection authority, which will audit and sanction the organization if it is unable to apply this right. 

Moreover, the data protection authority is increasingly carrying out unannounced checks. If these checks were infrequent even a few years ago, the European data protection authorities now consider that companies have had ample time to comply with the GDPR, since its implementation in 2018. 

If a violation of the personal data protection rules is proven, the consequences can be disastrous for the organization. Fines (up to 4% of the turnover or 20 M€) and loss of image come to mind, but there is a potentially even more dramatic risk: the administrative prohibition of the implementation of non-compliant processes. In some cases, this can lead to the suspension or even the end of the company's activity if it relies on these processes. 

Any company that decides not to comply with the regulations on the protection of personal data would be exposed to considerable risks today. Whether they are financial, image, loss of business or risk of suspension of activity. 

However, this compliance, although sometimes experienced as a real constraint, is ultimately virtuous for companies, since it strengthens confidence in its entire ecosystem, whether employees, customers, or subcontractors.