Skip to content

Privacy by design and by default

The GDPR requires that business processes feature data protection from the first step of any design. Privacy is a core part of Apteco software development. See GDPR Articles 25 and 32.

Pseudonymisation

You can separate personal data from analysis variables before loading data into the Apteco software, using a pseudonym as an identifier. You can re-link pseudonymised data with the personal data before sending to the broadcaster or lettershop. You could use an existing variable such as customer number, or a new one (for example, a hash value).

Optionally, organisational separation via a so-called third-party "trust centre" can make this process more robust, though this adds extra complexity and a potential time lag. Personal data separation can be applied in the Data Management or SCV step, or immediately after data export. Alternatively, if you do not use a trust centre, you could use organisational separation and allocate functional teams within your company.

Trust Centre or Fulfilment Team Data Flow

Differential privacy

Differential privacy aims to maximise the accuracy of queries from statistical databases while minimising the chances of identifying the natural person behind the records. The following two techniques are available in Apteco software:

Minimum visible count

The minimum visible count (MVC) property makes it harder to identify an individual by a process of elimination. For example, looking at a consumer holiday database you might be able to find a neighbour by adding criteria (village, age group, last destination) until you isolate a selection of 1. MVC makes this harder by hiding any selection count or cube cell count below the minimum (for example, 10). As soon as the count is below the MVC, it appears as zero.

Minimum Visible Count

Noise scale

The noise scale property sets the amplitude of "random noise" added to aggregated function results in cube cells (sum, mean, maximum, and so on). The idea is to prevent the user gaining information on any individual by introducing a small amount of uncertainty into the results. With a small amount of noise, overall trends should still be evident. The noise emulates a Laplace distribution, giving values more likely to be closer to the correct value. An additional time bias is included to make it harder to estimate exact figures by averaging multiple analysis runs.

Warning

Only use this feature if absolute accuracy is not essential.

Configuration

To configure the minimum visible count and noise scale properties:

  1. Open the FastStats Configurator.

    Tip

    Search for Fast in the Start Menu.

  2. Select FastStats Services.

  3. Select the FastStats Service for the system, then click Properties.

    FastStats Services Manager

  4. Scroll down to find Minimum Visible Count and Noise Scale.

    Minimum Visible Count and Noise Scale

    Note

    When noise scale is enabled it will prevent the "Why was I Selected?" function from working.

Data minimisation

Data processing should only use as much data as is required to accomplish a given task successfully. The GDPR states that you should adhere to the principle of data minimisation.

Data model

  • Pseudonymisation (see above)—prevent personal data entering the analysis system upstream of Apteco software. This is probably the most robust technique.
  • Minimise exposure to granular personal data by using the combine categories banding wizard in FastStats (for example, Date of Birth → Age banding and removing YY from DD.MM.YY for birthday mailing triggers).

Data retention policy

Each company must define its policy on how long to store data before deleting it. This can be managed in the upstream databases (SCV or CRM).

Data access

Access to personal data can be controlled by restricting who has access to what:

  • Directory access rights—control a group or user's Read, Write, and Delete permissions at a high level.

    FastStats Modify Access Rights dialog

  • Row and column filters—control whether a variable is Selectable, Exportable, or Browsable (SEB visibility) by right-clicking under the Visibility column for a variable.

    FastStats User Menu Modify Column Filters

Data rights

You can apply data rights at the variable level using Designer, limiting what is returned to the user.

Designer Define Variables—Permissions

Data properties

From within the FastStats System Explorer you can also limit how a variable is used:

  1. Right-click on a variable > Properties > Security.

    FastStats System Explorer Variable Properties

Export restrictions

You can restrict the output file types that a user or group of users can export.

FastStats User Modify Outputs to restrict Export Options by Filetype

You can delete the output option for a file type.

Delete Outputs

Note

Data is exported to the server, not to the user's PC.

Velocity checking

Velocity checking restricts the volumes of data users can export from a FastStats system and the time periods for exporting. If a user exceeds their limit, an export is quarantined and the user must ask an administrator for an authorisation code to produce that export.

FastStats Tools Velocity Menu

You can also set a size limit for the Sample Download file in the PeopleStage Delivery Step, accessed in the FastStats Configurator > FastStats Service > (select the system) > Properties, PeopleStage node.

Audit trails

The FastStats Variable Scanner can show what variables have been used and when—for example, to identify variables that have never or rarely been used in any analyses and should therefore be deleted from the data model (supporting data minimisation).

To use and install the FastStats Variable Scanner, download the Utilities zip and install the Variable Scanner on the same machine as your FastStats system. The scanner analyses one system and creates an output that you use with Designer to build another system. You need Excelsior to generate the reports from the Variable Scanner, so you will need to set up another FastStats system with appropriate licence files.

FastStats Variable Scanner Processing a System

You then perform the analysis in that new system and can view results in Excelsior.

FastStats Variable Scanner Excelsior Report

Permission preferences

Permission preferences are managed outside of Apteco software; however, you can integrate opt-in preferences into the data model to be brought in from the upstream database.

Permission Preferences

Ensure permission preferences are applied in a timely fashion—there is often a time lag between selections and campaign execution (or within a multi-step campaign). Options include:

  • Upfront at time of selection, using permission flags in the selection.
  • Update of permission flags between data updates in FastStats (for example, every 2 hours through the day).
  • Via external variables in FastStats (only works for existing URNs).
  • Reapplication of permission at campaign run time in PeopleStage using (Universal) Area constraint filters, for example "Valid E-Mail Opt-in".