Data lake anonymization
Data anonymization, often referred to as 'data sanitization', is a process aimed at protecting user privacy. Personally identifiable information in data sets is encrypted or removed to ensure anonymity.
The data we keep in ABAX comprises location data.
Data lake replenishment is performed from backups and then anonymized using scripts (when established and verified). The data lake is only accessible by the data science team, and the data is used for analytical purposes such as improving algorithms on the tracking units.
The data lake consists of the following information:
- Maximum speed
- When the trip started and stopped
- When a trip was registered with our servers
- Trip type (business or private)
- A numeric ID for the driver (no link to privacy data). Used to provide the following information:
- Company identity
- Account type: user account or admin account
- Active account
- Language setting for the account
- Date of last login
- Date of last logout
- Which interface/product is linked to the account
- Whether the Show welcome page flag is set to true or false
- Whether the Force password reset flag is set to true or false
- Fiscal domicile
- Whether the customer account has any trips
- Whether the customer account has an active driver
- Whether the customer account has left the company
- Whether the contact info is updated
- Date when the account was last modified
- Trip settings
- A numeric ID identifying the tracking unit
- A numeric ID identifying the main office
- A numeric ID identifying the vehicle
No personal information such as names, phone numbers and email addresses are transferred to the data lake.
Positions are anonymized in such a way that it is not possible to identify the address the individual behind a data point or the exact location of the original datapoint. Trip start and trip stop locations will be grouped together with those for other tracking units in such a way that no location is started or stopped by one single tracking unit and no single start or stop location can be tracked back to an identifiable individual.
In more technical terms
Trips are anonymized by geohashing the start and stop locations. Geohashing converts a position (latitude and longitude pairs) into a hash code that identifies a rectangle in a grid overlaying the world map. The grid size depends on the length of the geohash (see https://en.wikipedia.org/wiki/Geohash).
The anonymization process is iterative, and starts with a high value geohash (small rectangles). The geohash value starts with 12 (area size of 7 square cm) and goes down to 1 (area size of 25 009 930 square kilometres). If only one SIM card has a location inside a rectangle with the value of 12, then the geohash value is reduced by one and the process is repeated until other SIM cards have a position with the same geohash or until the geohash value is 4, at which point the area size represented is 762 square kilometres (ref. Figure 1).
Anonymization is also used when location data is sold to or shared with third-party users, in which cases a similar approach is used to anonymize the data.
Figure 1 – Geohashing, green squares as the new position (replaces the red positions within the square)
Data processor agreement
The documentation for all our markets is available here: https://www.abax.com/terms-and-conditions
Subprocessors in ABAX
GDPR set out two alternative forms of authorization that must be obtained from the data controller before the processor may engage a subprocessor:
- Prior specific authorization to use a subprocessor. This alternative is appropriate when tasks/services the data processor provides to the data controller are specific in nature, i.e. that the subprocessor is engaged to provide specific services to one or a small group of customers. This is typically the case where the solution provided by the data processor must be customised to the needs of the data controller.
- General authorization to use a subprocessor. This alternative is appropriate where the services provided by the data processor to the data controller are the same, or essentially the same, for a large number of customers. In these cases, the data processor must keep the data controller informed about the use of subprocessors and of any changes to the subprocessors used prior to engaging a new subprocessor. The data controller always has the right to object to the use of certain subprocessors.
ABAX uses the general authorization option for customers using our services. ABAX is continually developing and improving its services. New or improved functionality may require the use of new subprocessors. If ABAX had to obtain written approval from all its customers, this would make new developments impossible.
An updated overview of the subprocessors we use is available at https://www.abax.com/terms-and-conditions
How is privacy handled in your service?
Proactivity and Prevention
Privacy by design approaches the issues of privacy risks in a proactive manner. The issues must be prevented before they occur, and steps should be taken to mitigate the potential risks even before they become apparent. Poor security and privacy practices must also be recognized and improved early, before they do any harm.
This requires a commitment to consistently enforce privacy standards that are required by the GDPR. This is covered by the requirement to conduct data protection impact assessments before commencing with processing operations. The responsibilities of data controllers and processors are also clearly listed and must be followed. This requires a thorough commitment for proper implementation.
Privacy as the Default
The principle of privacy by default mandates that the users’ data must be protected without requiring their input. Individuals should not have to do anything in order to ensure their data is safe – it should be safe by default.
This is covered in Articles 25 and 32 of the GDPR, while DPOs are tasked with ensuring these rules are adhered to. The GDPR also prominently includes the three basic elements of privacy as the default, including:
Purpose specification – individuals must be notified what their data will be used for
Collection limitation – collection of personal data must be lawful and transparent
Data minimisation – as little data as possible should be collected, and only for immediate processing purposes.
Privacy Embedded into the Design
During the creation of technologies that will be used by companies and online services, due care must be taken to design them in such a way that privacy protection remains an integral part of the system.
Even before the systems reach the end-users, all good privacy protection measures must already be in place. Functionality for users should be unaffected by these privacy protection measures, and systems should be made in such a way that potential misconfigurations or errors do not degrade privacy. Again, this principle is mostly covered in Articles 25 and 32, along with several Recitals.
Full Functionality – Positive-Sum
The aim of privacy by design is to create a win-win situation for all stakeholders. The idea is that these privacy protection measures will create benefits both for the companies and for the users. Instead of a zero-sum situation, where users can only benefit at the companies’ expense and vice versa, these privacy by design measures aim to create positive net effects without making these trade-offs.
Security and privacy of data must be ensured from the point of collection to the eventual destruction of data. At every point of the data lifecycle, it must be continuously protected and accounted for.
The GDPR is notably very prescriptive in this regard. Its many provisions on data collection, storage and destruction fully capture the spirit of this rule. The aim is to ensure there are no gaps in data security, as security is considered an essential counterpart to privacy.
Thus, the GDPR requires the use of several methods for ensuring accountability (such as record-keeping) and security (anonymization, access controls etc.).
Visibility and Transparency
The key to accountability (and GDPR compliance) is transparency. All stakeholders, partners and coprocessors must be vetted, audited and open to external verification. Without transparency and visibility, there is no real way to ascertain whether the privacy by design principles have been implemented properly.
Respect for Privacy
The best way to achieve great result in implementing privacy by design features is to create products with end-users in mind. They should be designed to meet the users’ needs and include simple possibilities for them to control and oversee how their data is processed.
How do you secure privacy when introducing new features?
Even before we decide to implement a new feature or product we evaluate the privacy aspect thoroughly. We seek help from our DPO and from legal advisors (law firms) when in doubt. In addition our software testers pay extra attention to the privacy aspect, and all potential risks are closed before a feature are launched to the market.
Leave your GDPR hassle with us. Due to GDPR regulations, your employees now have the right to request what personal data you hold about them and the ‘right to be forgotten’. Some of your employees will probably ask you about this. Do you have time to handle all your employees requests, or do you want us to handle it for you? With the Privacy Assistant, we will handle most of the privacy dialogue with your employees, so you can focus on running a profitable business.
The Privacy Assistant will:
- Ensure your company is using ABAX products and services in a way that keeps you GDPR compliant
- Handle employee requests, so you can focus on running your business
- Inform your employees in an easy and compliant way with customized documents specific to your business
Information security is a top priority in ABAX. Here are the answers to some of the most common questions our customers ask about information security on our website, abax.com.
Where does ABAX store its customers' data?
Customer data is our most valuable asset, so our storage solutions must be secure and reliable. We use a public cloud vendor to store the data. You can find a list of our public cloud vendors in our regularly updated list of data sub-processors available at: https://www.abax.com/terms-and-conditions
How does ABAX encrypt our data when stored?
The data stored in our data centre is stored on self-encrypting hard drives so that you as our customer can rest assured that your data is safe with us.
How does ABAX encrypt data in transit to its customers?
The data stored at the cloud vendor is encrypted with up to date standards for encryption, so our customers can rest assured that their data is safe with us.
More in-depth details on how the cloud vendor encrypts data is available at: https://cloud.google.com/docs/security/encryption/default-encryption
What kind of security standards does ABAX comply with?
We comply with information security management system standard ISO 27001. This standard includes a range of controls to ensure that all processing is carried out securely and in a way that does not put our customers' data at risk.
Which vendors does ABAX use to transfer data?
Our hardware communicates through the mobile network using Telenor and its global network of partners. Multiple internet service providers (ISPs) facilitate communication between our customers and our systems via fully redundant solutions. ABAX’s infrastructure is connected to internet highways at several core internet exchange points.
How does ABAX ensure security on its servers?
To ensure that our servers stay secure, we always set up our infrastructure based on industry standards and best practices. All infrastructure is kept up to date with the latest security patches released by our vendors.
What kind of backup routines does ABAX have for its customers' data?
We make regular backups of all our valuable customer data and store them at a secure off-site location. For you as our customer, this means that we can recover your data and minimize any data loss in the event of a disaster.
How does ABAX secure customer data in its networks?
To ensure that we keep our servers safe, we use network segmentation, meaning that we divide our network into smaller segments. This protects our infrastructure from cyber-attacks.
How does ABAX ensure access control to its servers and systems?
We use a widely used method of access control called the principle of least privilege (POLP). What this means in practice is that we limit access to the accounts in our systems, granting them only the minimum access needed to perform specific tasks. To ensure that we adhere to the POLP principles, we perform regular audits on all accounts and their access rights as part of our ISO 27001 compliance procedures.
Onboarding the service: Get it right from the start
Set a valid purpose for the service
When you start using the ABAX service, you must remember to implement it correctly to make sure you comply with privacy regulations. This means that your company must have a valid lawful basis for processing data, pursuant to the General Data Protection Regulation (GDPR), Article 6 (a)–(f), which reads:
Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
(b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
(c) Processing is necessary for compliance with a legal obligation to which the controller is subject.
(d) Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
(f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Within the different ABAX domains some suggested purposes can be relevant and used for our customers.
SUGGESTED PURPOSES FOR THE ABAX SERVICE
Documentation for the tax authorities
ABAX Triplog is implemented to document the business use of vehicles in accordance with regulations issued by the tax authorities. For commercial vehicles, there will be ongoing documentation on all completed trips. Routines will be established to ensure compliance with current regulations.
Separate private and business trips for tax purposes
ABAX Triplog is used to separate private trips from business trips for tax purposes. Trip classification is performed by the driver, administrator and/or automatically by the system.
ABAX Triplog data can be used to help resolve customer queries and complaints. This should only be completed following a specific customer query, and only to resolve that particular query.
ABAX Triplog can be used to locate an employee if the employer has lost contact and suspects that an accident has occurred.
ABAX Triplog data can be used as a basis for billing customers for driving (time and mileage).
Incorrect time sheets
ABAX Triplog can be used if there is concrete suspicion that a time sheet is incorrect. The employee in question shall have the opportunity to be present during the check, and shall also be offered assistance from an employee representative or other party.
Service follow up
ABAX Triplog data can be used to follow up vehicle service intervals. Service notifications can be issued by email or text message from the system.
ABAX Fleet Management tracks the current location of your vehicles. This can be used to direct the vehicle located closest to a job.
ABAX Fleet Management can show all trips driven on a specific day in the map. This can be used to optimise driving routes.
Reduce environmental impact
ABAX Driving Behaviour can score drivers on their driving behaviour. Higher driving scores reduces the environmental impact.
ABAX Driving Behaviour can be used to mentor your drivers to drive more safely and more efficiently.
Improve driving standards
ABAX Driving Behaviour can be used to mentor your drivers to drive more safely and more efficiently and thereby reduce the number of incidents.
Reduce fleet-related costs
ABAX Driving Behaviour can help optimize driving performance to reduce fuel and servicing costs.
Track and trace
ABAX Equipment Control can be used to locate and recover lost equipment.
ABAX Equipment Control can be used to locate specific equipment for a specific job.
ABAX Equipment Control can log the usage of self-powered equipment. This data can be used to reduce over-use.
Invoicing of actual use
ABAX Equipment Control can log the usage of self-powered equipment. This data can be used by the owner to invoice the customer based on actual use.
Invoicing per use in an area
ABAX Equipment Control can log the usage of self-powered equipment in a specific area. This data can be used by the owner to invoice the customer based on hours in a project.
ABAX Equipment Control data can be used to follow up on equipment services. Service notifications can be issued by email or text message from the system.
Important to remember
When implementing a new service that has control measures, the authorities recommend that the company involve the employees at an early stage in the process. (Typically a trustee would be a great fit for this involvement.)
The company administration should arrange a meeting with the trustee and/or other relevant staff in the company to discuss the different control measures a service like ABAX will track.
In addition, the company must state the purpose of the control measure, the possible consequences a measure can have (e.g. how the technology works, and what data is measured and reported to the administrator) and for how long the control measure will last (normally a contract period).
The information can be given orally or in writing to the employees. In some cases the company may hold an information meeting to ensure that all employees are informed and to receive input from the employees.
It is up to our customers to specify a purpose for processing that best fits their business. The suggested purposes are only suggestions; our customers may specify other purposes that better fit their requirements. According to the Working Environmental Act it is recommended that the employees are involved when implementing the ABAX services for a smooth onboarding for the entire company.
Each purpose must comply with a lawful basis stated in GDPR (Article 6 (a)–(f)). What is important to remember? The following key things should be relevant for our customers when implementing the purpose(s) and legal basis for processing data.
- You must have a valid lawful basis in order to process personal data.
- There are six available lawful bases for processing. No single basis is ’better’ or more important than the others. Which basis is most appropriate to use will depend on your purpose and relation.
- Most lawful bases require that processing is ‘necessary’ for a specific purpose. If you can reasonably achieve the same purpose without the processing, you have no lawful basis.
- You must determine your lawful basis before you begin processing, and you should document it. We have an interactive tool to help you.
- Make sure you get it right first time – you should not specify a different lawful basis at a later date without good reason. In particular, you cannot usually swap from consent to a different basis.
- Your privacy notice should include your lawful basis for processing as well as the purpose(s) for processing data.
- If your purpose changes, you may be able to continue processing under the original lawful basis if the new purpose is compatible with your initial purpose (unless your original lawful basis was consent).
- If you are processing a special category of data, you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
- If you are processing criminal conviction data or data about offences, you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
Can I use the data in the system to do whatever I want?
When implementing the ABAX service, you must specify exactly what you want to use the data for. You cannot use the data and information you have available in any way other than for the specified purpose.
If you change the purpose or specify an additional one, you must hold another meeting with the trustee/relevant employee and ensure that all employees are informed accordingly. Of course, the new purpose must be valid and have a clear connection to the legal basis in GDPR.
The company must communicate the purpose that describe exactly what personal data shall be used for, not what it can be used for. In other words, the purpose must be specified and communicated, and should not be too broad or vague. The specified purpose determines what the personal data will be used for. Using personal data for purposes other than that specified constitutes a violation of the privacy regulations.
Data protection impact assessments (DPIA)
The Data Inspectorate states: An assessment of privacy consequences (Data Protection Impact Assessment - DPIA) shall ensure that the privacy of those registered in the solution is safeguarded. This is a duty under the new privacy regulations. Article 35 defines when it is required to make a DPIA, what it should contain and who should implement it.
For our customers who introduce ABAX in their company, they must consider whether an assessment of privacy consequences should be completed. Some examples that require a DPIA include:
- The processing of location data in conjunction with at least one other criterion
- A systematic compilation of the data subject's location and traffic data from telecom operators or the processing of personal data about the subscriber's use of the telecommunications network or the telecom operator's services. (Highly personal information and systematic monitoring.)
- The processing of location data in combination with an employee group.
If unsure, the Data Inspectorate defines on its website which processing activities always require a DPIA.
Guidance on how to perform a DPIA can be found here.
GDPR in our Technology
Termination and deletion
Termination that results in deletion applies to data belonging to customers who terminate their contract and who have not purchased Data Storage. Data Storage is a product the customer can buy and by purchasing this storage we guaranty that we keep the customers data in a safe storage after termination of the contract. Deletion of data can be triggered to apply all data within the customer contract or triggered by a single user/driver within the customer. When a single user/driver request deletion, only the data linked to this specific user/driver will be deleted. The deletion for a single user is triggered through “Privacy Assistant” (ref. figure 2). The user specifies what kind of data to delete by filling out a form (companies can create a template form to ease up the process for the users). When a customer contract is terminated, all data linked to all their users/drivers will be deleted.
As an extra quality check, we create a “wash list” containing all customers to delete. This list goes through a confirmation check where we remove customers from the list that for some reason should not be deleted (renewal of contract etc).
When we receive a deletion request, data should be deleted within 30 days. This applies for both customer deletion and single user deletion.
When deletion starts, we use a specific service that issues commands to all our services in different domains. The commands will trigger deletion of data that can be linked to a person (privacy data) in all domains for the current customer or user.
Before deletion, we extract possibly valuable data points and run these through our data lake. Through our data lake routines, we anonymize the data so that it cannot be traced back to any customer or user. The plan in the future is to automize the data lake when we receive the data from the tracking units. Anonymized data is kept for analytical purposes even if a deletion is requested (ref. Anonymization).
Figure 2 - Termination Deletion Process