The ICO exists to empower you through information.

Introduction

Privacy-enhancing technologies (PETs) are technologies that support fundamental data protection principles by minimising the use of personal information and maximising information security. We have called for organisations to use PETs, 1 supporting this recommendation through our guidance, 2 case studies 3 and continued efforts to drive responsible adoption of PETs for safe data sharing. 4 Despite these efforts, PETs adoption remains low.

On 20 February 2024, we held an in-person workshop to gain a deeper understanding of the barriers to adoption that exist for both suppliers and users of PETs. We also wanted to identify potential solutions. This report presents a summary of findings from the workshop, key actions for us and recommendations for relevant stakeholders to increase responsible PETs adoption. This work is the culmination of a wider policy project aimed at increasing the adoption of PETs.

This report is intended for a wider audience of PETs developers and the sectors that were represented at the workshop. This report is particularly relevant if you belong to:

  • an organisation in the public or private sector with data sharing requirements or objectives, facing barriers which using PETs may solve;
  • an organisation that develops PETs;
  • an organisation which is already deploying or exploring whether to deploy PETs;
  • a technology training provider and certification body;
  • a UK regulator, eg DRCF regulators; or 5
  • a data protection regulator in another country.

We encourage PETs stakeholders to engage with the recommendations provided in this report to help stimulate responsible PETs adoption.

Report outline

The report contains three main sections.

Section one presents our research on the barriers to PETs adoption and our reasoning for convening the workshop to explore potential solutions.

Section two discusses the barriers to the adoption identified by participants throughout the workshop and anonymised survey responses.

Section three provides a set of recommendations from workshop participants to overcome barriers in adopting PETs. These recommendations are structured according to the groups and organisations they target. We also discuss the work we will be doing to address these challenges.

In this report, we collectively refer the organisations that that have an interest in deploying PETs as “data sharers” and organisations that develop PETs as a product or service as “technology providers”.

Our work on driving responsible PETs adoption

The uptake of PETs across multiple sectors remains low, despite the work on PETs undertaken by us and other relevant organisations. We recognise that adoption is not straightforward and that there are many factors that may prevent organisations from deploying PETs. As such, we initiated a review to help us better understand how these barriers to adoption materialise and how we may reasonably assist organisations on their PETs adoption journey.

Our research identified several barriers which prevent organisations from being able to deploy PETs, which include:

  • a general limited awareness of PETs;
  • inconsistent definitions and taxonomy of PETs;
  • inadequate understanding of the risks and benefits;
  • lack of technical expertise;
  • lack of evidence around the use cases;
  • uncertainty on the maturity of PETs to support their widespread use;
  • unclear costs and benefits associated with PETs;
  • complex pricing when bundling PETs products and supplementary services; and
  • regulatory uncertainty around the use of PETs for compliance.

One of the most significant barriers identified was the different levels of available information between the supply and demand sides of the PETs market. This issue can lead to the parties procuring PETs on behalf of their organisation not sharing relevant information with the other parties. This problem is called information asymmetry. 6

These issues have led a risk-adverse approach to PETs adoption, particularly in their use for compliance with data protection law.

Our findings supported our decision to host a workshop to test perceptions of PETs adoption challenges and brainstorm solutions to help overcome them. The workshop was attended by representatives from public and private sector organisations with an interest in deploying PETs and representatives from the organisations that develop PETs as a product or service.

Participant views on PETs adoption challenges

A key objective of our workshop was to learn how data sharers and technology providers differed in their understanding of PETs. Our pre-event survey revealed that data sharers, particularly those in the public sector, had significant knowledge gaps in comparison with technology providers.

There was a general consensus from participants that adoption should be higher than currently perceived. Attendees agreed that the adoption of PETs faces several barriers, including:

  • a lack of understanding within organisations, which hampers internal buy-in and requires compelling use cases and clear value propositions;
  • insufficient understanding by technology providers of the deployment environments for their products;
  • uncertainty on how to assess the cost-benefit trade-off of using PETs;
  • a lack of resources, including expertise, being root causes of failures to secure buy-in;
  • concerns regarding the maturity of the PETs market; and
  • a lack of regulatory clarity, particularly on assessing the status of data when using PETs.

We explore these issues in further detail below.

A lack of understanding on the costs against benefits of PETs

Data sharers highlighted the need for information and resources that they could use to secure internal buy-in.

More information is needed for SLT to adopt this tech across the business

We need compelling use cases […] that add value to the business.

How do we better sell the value proposition of PETs to the entire business?

Data sharers indicated that they are generally reluctant to adopt PETs due to the absence of immediate revenue gains, associated costs of implementing PETs and the current lack of regulatory pressure compelling their use.

The lack of return-on-investment PETs for use in public services was cited as a significant barrier. Participants noted that quantifying the value for money of implementing PETs within processes is challenging and seen as a barrier to adoption.

A lack of understanding of how PETs integrate into complex systems

Data sharers noted that technology providers need to better understand complex deployment environments that may present specific challenges. Participants also highlighted a need for greater understanding of PETs as part of a broader data governance framework, rather than PETs as a standalone technological solution.

The use of PETs needs to be planned from the outset and highly integrated in order to realise both the business benefit and the intended privacy outcome. It is useful to distinguish between privacy-enhanced services (which often use a combination of PETs and perform data processing operations on behalf of the customers) and the PETs themselves (which are technological additions to an organisation's internal technology stack).

Cost, resource and expertise

Data sharers identified cost and a lack of expertise as a root cause of failures to secure buy-in within an organisation to integrate PETs into existing data sharing. Uncertainty about the costs of PETs products was seen as a significant issue, both in terms of upfront procurement and ongoing costs associated with maintenance of the service.

Data sharers voiced concerns that costly in-house multidisciplinary teams (legal, finance, technical etc) are needed to present a compelling internal business case to senior colleagues and budget holders.

Market maturity

Data sharers widely agreed that the PETs market needed to mature further to enable widespread adoption.

It was great to understand how it works in practice with the examples and learn from the other participants. However now understanding the immaturity in the market, I may have more hesitation in pushing these solutions until further clarity is provided.

Legal uncertainty

There was misunderstanding from some participants about choosing an appropriate legal basis for sharing personal information via PETs.

Participants reflected that organisations often wanted to avoid designation as a controller because it entailed greater responsibility and assigning the appropriate designation can be challenging due to the complexities of PETs.

Challenges around assessing identifiability of data when using PETs was a common issue raised by participants. Developers focused on the ability of their PETs products to anonymise or reduce identifiability, in order to reduce or remove compliance requirements. However, data sharers often required re-identification (eg in patient care) and broadly described PETs as an enhancement to their existing data governance, as opposed to a means to avoid compliance responsibilities.

Actions and recommendations to address barriers to adoption

Workshop participants identified clear actions and recommendations to help mitigate the barriers to adoption discussed in this report. This section presents these recommendations in more detail.

The ICO

The ICO has been a leading advocate for the adoption of PETs. Our PETs guidance, a world-first for a data protection authority, provides organisations with much needed clarity on how PETs help enable data protection compliance. Our PETs case studies demonstrate how organisations can use PETs to fulfil a variety of purposes.

In addition to our existing efforts in supporting PETs, participants asked for the ICO to provide further regulatory clarity on their use. This included:

  • integrating our PETs guidance into other guidance products, eg to reduce risks to people in AI use cases;
  • publishing further case studies to demonstrate best practice for potential adopters;
  • contributing to the development of standards and accreditations for PETs with relevant stakeholders; and
  • clarifying when PETs can provide effective anonymisation and pseudonymisation.

As the UK’s data protection regulator, we are committed to providing regulatory clarity on the appropriateness of PETs to implement the data protection principles effectively and safeguard people’s rights when sharing personal information.

We will integrate the recently-published PETs guidance into other relevant guidance products to show how they aid data protection compliance.

We are committed to working with relevant stakeholders to identify opportunities for developing certification schemes as a way for PETs solutions to demonstrate compliance.

We have already published several case studies, 7 and we are committed to publishing a case study for each of the PETs currently featured in our guidance. 8 We encourage other organisations to continue to publish high quality case studies. 9

We will be providing further clarity on the use of PETs as a way to anonymise personal information in the upcoming anonymisation guidance.

Recommendations for other stakeholders

Participants also provided numerous recommendations for other groups and organisations. We present these here for the benefit of a wider audience. The recommendations below do not reflect ICO policy.

Recommendations for the PETs industry

  • In order to ensure that data sharing solutions can effectively integrate PETs, technology providers should work closely with data sharers to develop solutions which integrate seamlessly with legacy systems.
  • Technology providers should offer clear information on how their products provide compliance and risk mitigation from a technical standpoint.
  • Technology providers should ensure that pricing for their solutions is clear and straightforward to understand for potential customers.

Recommendations for government departments

  • Organisations considering PETs need effective tools for evaluating the costs and associated benefits in order to make a strong business case for their use. We recently published a blog, alongside the Responsible Technology Adoption Unit (RTAU), on assessing cost benefits for federated learning. Further guidance to assist with cost benefits analysis for various PETs will follow later in 2024.
  • Public sector bodies require effective decision-making tools to assess whether PETs are suitable for their use cases. Tools should consider factors such as data sensitivity, data protection requirements and technical feasibility. The UK Government could work with the ICO to leverage existing guidance from the Data Standards Agency and the RTAU’s PETs adoption guide to assist the public sector in decision-making.
  • Public sector organisations are constrained in their ability to procure new tools by public procurement processes. Government procurement options could ensure a wider choice of technology providers for PETs, appropriate for meeting public sector requirements.

Recommendations for funding bodies

  • In order to move beyond the tipping point for PETs adoption, early adopters are needed first. Funding bodies should consider backing pilot projects within specific sectors to serve as a proof of concept and encourage broader adoption. The US-UK PETs prize challenge is a successful example of how PETs providers can collaborate with the public and private sectors.

Recommendations for organisations who want to share data

  • Organisations should work with the PETs industry and standards bodies to identify opportunities and requirements for certification schemes to demonstrate compliance. We welcome proposals for appropriate certification schemes leveraging PETs. 10
  • Public sector organisations should engage with private sector organisations with experience of successfully deploying PETs. Sharing knowledge and experiences can help to address the issue of information asymmetries.
  • Organisations needing further advice on data protection compliance using PETs should consider using services provided by the ICO. For example, our Sandbox 11 and Innovation Advice Service 12 can help organisations to understand how innovative solutions utilising PETs can help provide data protection compliance.

Recommendations for sector-specific bodies

  • Industry bodies responsible for governance over a specific sector should provide further guidance on effective governance measures for PETs in their sector.
  • Industry bodies should work closely with data sharing organisations to identify replicable solutions that would benefit from certification schemes under the UK GDPR. These schemes can provide regulatory assurance for PETs solutions. 13

Recommendations for other regulators

  • Data protection authorities from other jurisdictions should provide further guidance and clear incentives on the use of PETs for data protection compliance. This includes their suitability for international transfers and their applicability as anonymisation and pseudonymisation techniques.
  • The ICO Sandbox and (IMDA) Singapore sandbox have demonstrated the value of sandboxes for exploring how PETs-based solutions interact with data protection and other relevant legislation. Data protection authorities and regulators should increase the availability of sandboxes for PETs to test deployment.

Recommendations for training and certification bodies

  • Training and certification providers should collaborate with the PETs industry and customers to identify key skills gaps and incorporate PETs into their curriculum. Training should be both accessible and affordable to a wide range of sectors.

Appendix – selection process and participants

Over 30 representatives took part in our workshop (see below for a full list). All quotes and contributions in this report were anonymised, as this enabled a more open discussion.

Attendees were chosen via an open application process, in which we selected participants across a range of sectors and developers. The workshop also included people from intermediary organisations with in-depth expertise, including RTAU (formerly CDEI), and consultancy and legal firms with expertise in the area of PETs.

  • Benjamin Moore – Responsible Technology Adoption Unit (formerly Centre for Data Ethics and Innovation)
  • Caroline Parks – Expedia Group
  • Chris Watts – Numbereight AI
  • Claire Clements – NHS
  • Daniel Pike – Covatic
  • Dylan Summers – Lloyds
  • Georgi Ganev – Hazy.com
  • Ian Redman – MBWW
  • James Wiggins – Honda EU
  • John Lawson – NHS Wales
  • Julie Varcoecocks – Serco
  • Kara Kelly – Deloitte
  • Kate McBay – Research Data Scotland
  • Kuan Hon – Dentons
  • Laura Robbins – Essex Police
  • Lorayne Liebel – Flo Health
  • Luk Arbuckle – Privacy Analytics
  • Manuel Capel – Inpher
  • Mattia Fosci – Anonymised IO
  • Maurice Coyle – Truata
  • Nick New – Optalysys
  • Odvar Bjerkholt – BT
  • Robert Pisarczyk – Oblivious
  • Ronen Cohen – Duality Tech
  • Rosie Nance – Norton Rose Fulbright
  • Santiago Zanella-Beguelin – Microsoft
  • Sarasi Randombage – HSBC
  • Simon Crane – DHSC
  • Simone Mangiante – Vodafone
  • Sussie Anie – Responsible Technology Adoption Unit (formerly Centre for Data Ethics and Innovation)
  • Susy Ralph – City of London School
  • Vanessa Cocca – Aindo
  • Wendy Butcher – The National Police Freedom of Information and Data Protection Unit
  • Zoher Kapacee – HRA

1 ICO. ICO urges organisations to harness the power of data safely by using privacy enhancing technologies.

2 ICO. Privacy-enhancing technologies (PETs).

3 ICO. Case studies on pseudonymisation and anonymisation techniques and privacy enhancing technologies.

4 ICO. Workshop of privacy enhancing technologies.

5 DRCF. About the DRCF.

6 The Economist. What is information asymmetry?

7 ICO. Case studies on pseudonymisation and anonymisation techniques and privacy enhancing technologies.

8 ICO. G7 DPAs' Emerging Technologies Working Group use case study on privacy enhancing technologies.

9 For example: ODI. PETs in Practice.

10 For example, UK GDPR Certifications.

11 ICO. Regulatory Sandbox.

12 ICO. Innovation advice service.

13 ICO. Certification schemes.