InfoSum Logo

Data Privacy

Many businesses are often left with little choice other than to share their customer's personal data to improve customer experience and deliver targeted and relevant marketing campaigns.

With the threat of GDPR fines looming over them, senior executives and marketers are increasingly cautious of sharing data outside of their organization, or relying on third-party data that has been passed between multiple companies. This is bad news for the advertising ecosystem and adtech firms, who rely on the movement of digital data to deliver targeted ads.

For brands, their agencies and publishers, locking down their data to a degree that they’re unable to utilize it for more effective marketing, simply isn’t an option. More than ever, brands need to be able to deliver targeted messaging to bring in new customers; media agencies need to be able to understand their client’s customers through their data, and publishers need to deliver audience targeting to compete with Facebook, Google, and Amazon.

Our Platform solves the data privacy risks associated with sharing raw data, by not. Our technology utilizes decentralization to allow multiple parties to collaborate across any number of datasets for analysis and activation, without sharing or pooling raw data.

Privacy-by-design technology

Our technology removes the need for this raw data to be shared, and so promotes privacy, the ethical handling of data and helps our clients comply with the GDPR.

Storage Limitation

Our anonymization processes have been designed to ensure that the identity of individuals is not stored any longer than required.

GDPR Principle B

Data Minimization

Our platform keeps all data decentralized, therefore minimizing the amount of information gathered in a single location.

GDPR Principle C

Integrity & Confidentiality

No raw personal data is ever passed between the different parties, minimizing the scope for data misuse or breaches.

GDPR Principle F

Q Is InfoSum GDPR compliant?

Yes, but GDPR compliant technology should only be considered a starting point. It is with the individual users of the technology to ensure that their use of it is compliant with the principles of GDPR. Our technology ensures that when running analysis across another party’s data, you never take on the role of the data processor. This means you are only responsible for the compliant handling of your data.

Q Do you hash personal data?

Under GDPR, hashing of personal data is usually pseudonymization, not anonymization. Therefore, hashed data must still be handled as personal data, under GDPR. Our platform hashes all fields containing personal data and keeps them in control of the data owner. Joining is done by applying a non-reversible mathematical model to the hashes to ensure no personal information is ever exposed.

Q How do you prevent re-identification?

When two or more data points are combined, they can become personal data. For example, an individual’s browsing habits could reveal their identity, sexuality and ethnic origin. We employ various differential privacy concepts, including data rounding, noise addition, redaction thresholds and rate limits to ensure that individuals cannot be re-identified through combinations of data.

Q How do you process the right to erasure?

GDPR requires that individuals be able to request that all instances of their personal data be deleted. If you have shared raw data internally or externally, this becomes increasingly difficult. Where an individual’s data is held in a bunker, permission to analyze can either be rescinded or the data within the bunker can be updated to remove the individual. Find out more about the right to erasure here.

Q Can I flag customers for remarketing?

Typical audience selection platforms utilize hashing techniques, which does not result in anonymized data. Therefore, must still be handled as personal data under GDPR. Our unique execution bunkers are able to match and “tag” identities for re-marketing purposes, without sharing the source data with the third-party.

Further reading:
German Court Ruling

Q Can I share data with another organization?

Anytime you pass raw data to another party, even a strategic partner, they become a legal Controller of your data. Once the data has been passed, you no longer have physical control over any onward sharing which can have adverse ramifications if that data is then sold onwards or misused. We never share raw data. Permissions are granted to run statistical analysis only or for tagging. These permissions can be rescinded at any time, without having passed any raw data and sacrificing your control or ownership.

Q Can I use third-party data?

Organizations looking to buy or rent data must be diligent in ensuring data is “lawfully and fairly obtained” and individuals understood their data would be shared with other parties. As we enable organizations to collaborate with partners without sharing raw data. This means they can gain the insights from the combined analysis, without becoming the controller of the third-party data.

What is personal data?

GDPR defines personal data as any information relating to an identified or identifiable natural person. Personal Identifiable Information, or PII, is a US term referring to any information about an individual, that can be used to distinguish or trace an individual's identity.

Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

Anonymous Information “namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable”

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction