Protect your business by anonymizing any sensitive information in all data flows.
GDPR recommends using encryption method to protect sensitive information.
Introduce data protection by design via powerful de-identification techniques.
TurboCat.io is used by national mobile carriers to de-identify extremely sensitive and personally identifiable information.
The tool has been thoroughly reviewed and approved by a corporate security and data privacy officers.
Tomas Budnik
We use TeskaLabs’ technology in O2 Czech Republic in several key areas.
Vlad Toma
TurboCat.io is safe and easy to use. For us, it's important that the tool is simple because it is used by non-technical people. I'm very satisfied with the product.
Marek Beniak
Even though they work for big companies we were able to establish personal cooperation without hassle. TeskaLabs guides us through secure and scalable mobile app development.
TurboCat.io is tool that extracts data from a source system, transforms the data, and then loads the data to a destination, which could be another system, a big data platform, archive, cloud service, or just a plain text file.
TurboCat.io is compatible with classical enterprise IT world including SQL databases and also a with new IT world too including Kafka, Hadoop, ElasticSearch, AWS, various cloud services and many more.
TurboCat.io is a software tool which can be installed both on-premise and cloud.
The price is divided into a one-off license and yearly maintenance fee. With this license, the customer gets data anonymization tool, assistance with implementation and web user-interface.
Connectors
Data formats
Cryptographic hardware
Key rotations
De-identification methods
Field-specific de-identification
Encryption algorithms
Hash functions
User Interface
Real-time processing
Modes of operations
Support
Deployment options
Hardware requirements (typical)
High Availability
Software requirements
Directory services
GDPR defines pseudonymization as the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information. By holding the de-identified data separately from the “additional information,” the GDPR permits data handlers to use personal data more liberally without fear of infringing on the rights of data subjects. This is because the data only becomes identifiable when both elements are held together.
According to the GDPR, Pseudonymization may facilitate the processing of personal data beyond the original collection purposes.
Anonymization is the irreversible removal of information that could lead to an individual being identified, either on the basis of the removed information or in combination with other information. This definition emphasizes that anonymized data must be stripped of any identifiable information, making it impossible to derive insights on a discreet individual, even by the party that is responsible for the anonymization.
When done properly, anonymization places the processing and storage of personal data outside the scope of the GDPR.
Encryption translates data into another form so that only people or a system with access to a secret key —formally called a decryption key— can read it. Under Article 32 of GDPR, controllers are required to implement risk-based measures to protect data security. One such measure is the “encryption of personal data” that “renders the data unintelligible to any person who is not authorized to access it".
Businesses can use encryption to meet the GDPR’s data security requirements.
Data masking or suppression is an extreme form of anonymization. It replaces information with pre-defined fixed text (or a black tape). Data masking is very simple to implement and very effective in removal of sensitive data. On the other hand, any statistical or analytical value of data is lost in the masking process.
Businesses can use encryption to meet the GDPR’s data security requirements.
It is typical for organizations to export production data, including sensitive personal information, for marketing purposes, to test new versions of apps, etc. Exported data contains readable information about users, such as their names, email addresses, phone numbers, home addresses, and so on.
Risk: An unauthorized person accesses an exported file that contains Personally Identifiable Information (PII). He then takes a copy of that file and uploads it to the public internet or darknet. This has resulted in a so-called data breach and the company is liable under GDPR.
Protection: The proper application of anonymization, pseudonymization, and encryption prevents data leaks right at the source.
Breach example: In July 2017, the Czech Republic e-commerce site MALL.cz suffered a data breach after which the information of 735,000 unique accounts (including email addresses, names, phone numbers, and passwords) was later posted online.
Source: haveibeenpwned.com
TurboCat.io performs de-identification during data exports and, therefore, minimizes the risk of sensitive data being leaked.
One of the targets of the cyber attacker are archives and backups because they contain the same valuable data as the production database, but they are usually much less protected. For this reason, the privacy protection regulation requires deletion of a person from all archives and backups. This is a very tedious and costly task to implement.
Risk: The cyber attacker steals files with the production database archives. The attacker then extracts all Sensitive Personal Information (SPI) from these archives and publishes the data on the internet or darknet. This has resulted in a so-called data breach and the company is liable under GDPR.
Protection: Applying encryption, anonymization, and pseudonymization to all archives and backups will prevent the attacker from extracting sensitive data from the stolen archive.
Breach example: In 2012, TD Bank misplaced computer backup tapes containing personally identifiable information for 267,000 customers. TD Bank later paid an $850,000 fine for this data breach.
Source: Bank Info Security
The use and adoption of big data within organization processes allow efficiencies in terms of cost, productivity, and innovation, but the process does not come without flaws. One of these flaws is the fact that the data sets that are created and stored can contain huge amounts of sensitive information. Control of access to this information is very difficult.
Risk: Organization loses control of sensitive data and it gets into the hands of unauthorized people. These people can then copy and export the data outside of the organization. This has resulted in a so-called data breach and the company is liable under GDPR.
Protection: Routine anonymization, pseudonymization, and data encryption before data is loaded into big data systems.
Three Big Data Threat Vectors: Oracle
TurboCat.io integrates with big data technologies (Hadoop, ElasticSearch) and transparently ensures the de-identification of sensitive data.
Nowadays, it is a widespread practice that organizations share production data with third-parties for the purpose of further processing, analysis, cleaning, etc. This obviously raises the risks associated with data leaks as the organization typically does not perform security control of data before it leaves the IT infrastructure of the organization.
Risk: The third-party does not provide sufficient protection for confidential data and a data leak occurs. This has resulted in a so-called data breach and the company is liable under GDPR.
Protection: Anonymization, pseudonymization, and encryption of data before sending to a third-party.
Breach example: Equifax leaked 143 million individuals’ personal information. Equifax blamed this breach on a flaw of third-party software it was using.
Source: CSO Online
TurboCat.io provides anonymization, pseudonymization, and encryption as well as integration capabilities in typical B2B scenarios.
Healthcare has been a long-term driver in research about SPI de-identification. The HIPAA Privacy Rule (in the United States of America) provides mechanisms for using and disclosing health data responsibly without the need for patient consent. These mechanisms center on two HIPAA de-identification standards: Safe Harbor and the Expert Determination Method. Safe Harbor relies on the removal of specific patient identifiers (e.g. name, phone number, email address, etc.) while the Expert Determination Method requires knowledge and experience with generally accepted statistical and scientific principles and methods to render information not individually identifiable.
Breach example: New York and Presbyterian Hospital data breach (damage: $3.3 million).
Source: HHS.gov
More breach examples: Healthcare IT News
European Data Protection Law
Selected recitals
The principles of data protection should apply to any information concerning an identified or identifiable natural person.
Personal data which have undergone pseudonymization, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.
To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.
To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.
The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person** or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.
The application of pseudonymization to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymization’ in this Regulation is not intended to preclude any other measures of data protection.
In order to create incentives to apply pseudonymization when processing personal data, measures of pseudonymization should, whilst allowing general analysis, be possible within the same controller when that controller has taken technical and organisational measures necessary to ensure, for the processing concerned, that this Regulation is implemented, and that additional information for attributing the personal data to a specific data subject is kept separately. The controller processing the personal data should indicate the authorised persons within the same controller.
A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymization, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.