What is your solution for GDPR’s Indirect Identifiers? Many aren’t sure what they are and will probably be unsuccessful when attempting to become GDPR compliant. Allow me to explain. As a software development manager, I must confess that the Discovery & Remediation of Indirect Identifiers was the most complex project I have managed in my 33 years in the industry. First, let me explain what an Indirect Identifier is. According to the “Privacy Technical Assistance Center of the U.S. Department of Education, it means “Indirect identifiers include information that can be combined with other information to identify specific individuals, including, for example, a combination of gender, birth date, geographic indicator and other descriptors.”

1. What is your solution for GDPR’s Indirect Identifiers? Many aren’t sure what they are and will
probably be unsuccessful when attempting to become GDPR compliant. Allow me to explain.
As a software development manager, I must confess that the Discovery & Remediation of Indirect
Identifiers was the most complex project I have managed in my 33 years in the industry.
First, let me explain what an Indirect Identifier is. According to the “Privacy Technical Assistance Center
of the U.S. Department of Education, it means “Indirect identifiers include information that can be
combined with other information to identify specific individuals, including, for example, a
combination of gender, birth date, geographic indicator and other descriptors.”
To accurately find Indirect Identifiers you must know all the metadata of all your enterprise data,
including structured and unstructured data, and data contained in PDFs, Office Documents and other
sources of data assets.
When Indirect Identifiers are scattered across multiple files containing data for many individuals it is first
necessary to find the records associated with each unique individual. To accomplish this, it is necessary
to join the records by Direct identifiers successfully before you can decide if Indirect Identifiers exist
across those files, and they positively identify individuals. After all, files may contain gender, date of
birth, and geographic indicator but never all three for a specific individual. If no individual has all three
of these fields present in your data, then you are GDPR compliant for this Indirect Identifier set of fields.
To join records for individuals you first need a field to be present in those files that will uniquely identify
individuals; these fields are called Direct Identifiers, let’s see their definition from the same source as
above.
What is a Direct Identifier? “Direct identifiers include information that relates specifically to an
individual such as the individual’s residence, including for example, name, address, Social Security
Number or other identifying number or code, telephone number, e-mail address, or biometric
record.”
Having a centralized repository to house all your metadata is the next requirement to create a
reasonably efficient Indirect Identifier discovery process. Once all the pieces are present in one location,
joining data from multiple files is not as daunting. It is also important that your central repository be
able to accept data from many sources regardless of its structure or format. The repository must also be
scalable, affordable and able to deliver high levels of processing power that allows files to be joined by
Direct Identifiers or other Keys such as national health ID, social security, Credit Card, address, email etc.
The joining process can then occur that will accumulate data assets from all the files and their columns
to one another (yes, many permutations will occur). Once these relationships are found some human
intervention must occur to decide which of the Indirect Identifier(s) should be encrypted or removed to
break up the Indirect Identification group of fields.

2. The EU GDPR requirements are vague, but general opinion is that the GDPR still prohibits sets of fields
that identify a small group of individuals and not necessarily a specific individual. An example would be
Gender, Date of Birth and Postal Code, which is only 87 % accurate in identifying specific individuals.
So, unless your Company has nearly 100% of its data assets housed in a Big Data environment
somewhere, you probably have lots of work ahead of you. If your Company is like most, especially larger
companies, you still have mainframes, AS400’s, desktops, servers (from many manufacturers of many
different sizes running a multitude of RDBMS’s), Cloud applications, IoT and other forms of storage that
may fall under the EU GDPR umbrella. Just identifying all of this, is a major undertaking.
After all your data is in a file system that can store, manage and provide massive amounts of processing
power you are ready to get to work. Next is to write a multi-step series of programs that can take
advantage of the scalability of the file system, be able to read all the file types and formats, store this
information and make it sharable and collaborative, and then Discover Direct and Indirect Identifiers
while also providing for data remediation in the form of data encryption, removal, or sequestering /
quarantining of files. GDPR is not a once in a lifetime or once a year Requirement, it is an every day
responsibility. If you are hacked and can’t demonstrate ongoing processes for remediation of Direct and
Indirect Identifiers you may still be subject to substantial fines, risk of a major hack causing loss of
customer, reputation and unmanageable fines and legal fees.
An additional EU GDPR requirement is to provide customers with the ‘Right of Erasure’ also known as
the ‘Right to be Forgotten’. This means a company must discover and remediate all data related to an
individual that isn’t required for existing business activities with that individual. As an example; if you
are maintaining lease agreements with an individual you must keep certain identifiers to continue
maintaining that agreement, however you should make sure all that required data is encrypted and is
never shared with other business partners or entities. Any Identifiers that are not required for legitimate
business purposes must be removed. To provide an individual with the ‘Right of Erasure’ will certainly
require discovery and remediation of all Direct and Indirect Identifiers before achieving a true solution.
After reading these descriptions of GDPR requirements it may seem like an overwhelming task to reach
compliancy with EU GDPR. However, some software vendors realized long ago that software solutions
would be more than just problematic to develop ‘In-House’ and designed Software Applications
specifically conceived to meet GDPR mandates. Don’t settle for solutions that require 6 months or a year
to implement, there isn’t time. Look for a product that uses a common platform to assemble disparate
data stores; that may be the only way to discover Indirect Identifiers. Look for solution that don’t
require an army of data scientist to interpret results. Don’t break the bank to purchase a solution; there
are products with reasonable pricing structures that have quick implementation a short as a day and
start delivering day one and can give you a qualified accurate intelligent view in days.
Reach BigDataRevealed (a software application) built for GDPR to facilitate protecting your
customer’s valued & confidential data at privacyinfo@bigdatarevealed.com or (847) 440-4439.