Privacy by design and by default
The GDPR requires that business processes feature data protection from the first step of any design. Privacy is a core part of Apteco software development. See GDPR Articles 25 and 32.
Pseudonymisation¶
You can separate personal data from analysis variables before loading data into the Apteco software, using a pseudonym as an identifier. You can re-link pseudonymised data with the personal data before sending to the broadcaster or lettershop. You could use an existing variable such as customer number, or a new one (for example, a hash value).
Optionally, organisational separation via a so-called third-party "trust centre" can make this process more robust, though this adds extra complexity and a potential time lag. Personal data separation can be applied in the Data Management or SCV step, or immediately after data export. Alternatively, if you do not use a trust centre, you could use organisational separation and allocate functional teams within your company.
Differential privacy¶
Differential privacy aims to maximise the accuracy of queries from statistical databases while minimising the chances of identifying the natural person behind the records. The following two techniques are available in Apteco software:
Minimum visible count¶
The minimum visible count (MVC) property makes it harder to identify an individual by a process of elimination. For example, looking at a consumer holiday database you might be able to find a neighbour by adding criteria (village, age group, last destination) until you isolate a selection of 1. MVC makes this harder by hiding any selection count or cube cell count below the minimum (for example, 10). As soon as the count is below the MVC, it appears as zero.
Noise scale¶
The noise scale property sets the amplitude of "random noise" added to aggregated function results in cube cells (sum, mean, maximum, and so on). The idea is to prevent the user gaining information on any individual by introducing a small amount of uncertainty into the results. With a small amount of noise, overall trends should still be evident. The noise emulates a Laplace distribution, giving values more likely to be closer to the correct value. An additional time bias is included to make it harder to estimate exact figures by averaging multiple analysis runs.
Warning
Only use this feature if absolute accuracy is not essential.
Configuration¶
To configure the minimum visible count and noise scale properties:
-
Open the FastStats Configurator.
Tip
Search for Fast in the Start Menu.
-
Select FastStats Services.
-
Select the FastStats Service for the system, then click Properties.
-
Scroll down to find Minimum Visible Count and Noise Scale.
Note
When noise scale is enabled it will prevent the "Why was I Selected?" function from working.
Data minimisation¶
Data processing should only use as much data as is required to accomplish a given task successfully. The GDPR states that you should adhere to the principle of data minimisation.
Data model¶
- Pseudonymisation (see above)—prevent personal data entering the analysis system upstream of Apteco software. This is probably the most robust technique.
- Minimise exposure to granular personal data by using the combine categories banding wizard in FastStats (for example, Date of Birth → Age banding and removing YY from DD.MM.YY for birthday mailing triggers).
Data retention policy¶
Each company must define its policy on how long to store data before deleting it. This can be managed in the upstream databases (SCV or CRM).
Data access¶
Access to personal data can be controlled by restricting who has access to what:
-
Directory access rights—control a group or user's Read, Write, and Delete permissions at a high level.
-
Row and column filters—control whether a variable is Selectable, Exportable, or Browsable (SEB visibility) by right-clicking under the Visibility column for a variable.
Data rights¶
You can apply data rights at the variable level using Designer, limiting what is returned to the user.
Data properties¶
From within the FastStats System Explorer you can also limit how a variable is used:
Export restrictions¶
You can restrict the output file types that a user or group of users can export.
You can delete the output option for a file type.
Note
Data is exported to the server, not to the user's PC.
Velocity checking¶
Velocity checking restricts the volumes of data users can export from a FastStats system and the time periods for exporting. If a user exceeds their limit, an export is quarantined and the user must ask an administrator for an authorisation code to produce that export.
You can also set a size limit for the Sample Download file in the PeopleStage Delivery Step, accessed in the FastStats Configurator > FastStats Service > (select the system) > Properties, PeopleStage node.
Audit trails¶
The FastStats Variable Scanner can show what variables have been used and when—for example, to identify variables that have never or rarely been used in any analyses and should therefore be deleted from the data model (supporting data minimisation).
To use and install the FastStats Variable Scanner, download the Utilities zip and install the Variable Scanner on the same machine as your FastStats system. The scanner analyses one system and creates an output that you use with Designer to build another system. You need Excelsior to generate the reports from the Variable Scanner, so you will need to set up another FastStats system with appropriate licence files.
You then perform the analysis in that new system and can view results in Excelsior.
Permission preferences¶
Permission preferences are managed outside of Apteco software; however, you can integrate opt-in preferences into the data model to be brought in from the upstream database.
Ensure permission preferences are applied in a timely fashion—there is often a time lag between selections and campaign execution (or within a multi-step campaign). Options include:
- Upfront at time of selection, using permission flags in the selection.
- Update of permission flags between data updates in FastStats (for example, every 2 hours through the day).
- Via external variables in FastStats (only works for existing URNs).
- Reapplication of permission at campaign run time in PeopleStage using (Universal) Area constraint filters, for example "Valid E-Mail Opt-in".













