According to the Norwegian data protection authority (DPA), Datatilsynet, an organization could have avoided a hefty GDPR fine if it had used synthetic instead of real data for software testing.
The Norwegian Confederation of Sport was fined an equivalent of US 140,000 or EUR 125,000 when it tested a solution that involved moving a large database from a physical server to the cloud, using real people’s data and exposing in error the personal information of 3.2 million Norwegians, including close to ½ million children. The personal information, which was available online for 87 days, included gender, date of birth, contact information and association affiliation.
In its report, the DPA strongly recommended using “fictitious data” or synthetic data for this kind of testing or using a smaller quantity of personal information as security measures to significantly mitigate the risks involved.
When the Global Privacy Assembly, which brings together DPAs from all over the world, met in October, I was invited to join a panel that explored innovations in data sharing, including synthetic data. This latest Norwegian case is yet another positive indication that the DPA community is becoming increasingly interested in and aware of synthetic data as a practical privacy enhancing technology.
The case brings to life recent predictions by Gartner that synthetic data will reduce the risks of privacy breaches and help organizations avoid privacy violation sanctions. It offers a helpful warning signal to those who continue to use real data for software testing and serves as a reminder that synthetic data can also be used to amplify smaller data sets to respect minimization principles.
You can read a summary of the Datatilsynet report here (in English) and the full report here (in Norwegian only).