Brand protection through track&trace? Beware of personal data protection

In three months from today , new European legislation about personal data protection will become effective. The companies will spend billions of euros on new rules implementations. At the same time, jobs for thousands of experts and consultants will be created. Media are already overflown with GDPR articles. It is not our ambition to produce even more such articles. Therefore we start with only a very brief introduction.

GDPR is based on the assumption that every person is the absolute owner of his/her body and also should be the absolute owner of all records about him/her. Recording and saving information about somebody is considered intervention into his/her privacy, even if he/she does not know about it. We have the right to information what data about us are created and stored. We have the right to access this data, the right of rectification, right to erasure, to object to processing, to restrict processing etc. On the other hand, the companies need to continue their work (law enforcement agencies are not obliged by GDPR). Issues of everyday business, such as invoice or guarantee certificate include name and contact of a particular client, e.g. personal data protected by the regulation.

This complicated situation and many conflicting requirements result in sophisticated rules backed by nightmarish fines of thousand million euros. In many cases, it is still not clear what exactly will be enforced by national data protection bodies. It is entirely possible that at the beginning they will be quite soft and then harden step by step. Because GDPR enforcement will include non-profits that can act on behalf of people even without their consent, it can be expected that they will be motivated to move border further and further. Powerful screwing machine will thus be created.

Some areas are already evident, such as lists of customers. However, other areas are still uncertain or neglected, such as brand protection through trace&track systems. There are several ways of trace&track implementation. Packaging is often equipped with a bar code, QR code, serial number, RFID etc. All relevant information about product life is saved into the information system. A user can get a code with a reader and learn everything about the product – date of production, who it was sold to, what storehouse it was delivered to, information about later reselling, repairs, inspections… It may also happen that the product is missing in the system, which indicates troubles and risk of fake.

Track&Trace systems have some weak points, including the risk of copying codes and information systems access. They can be discussed elsewhere. Instead, we warn that in some situations personal data protection can be applied to track&trace systems. How is it possible? One of the key concepts of personal data protection is „pseudo-anonymisation“ meaning that data cannot be assigned to a person (thus cannot be considered personal data) but can become personal data after connecting with other information.

For an explanation of this principle, let us look at brand protection trace&track system for drugs, luxury watches, appliances or anything else. There is no information about people in the system. Therefore no personal data needs to be protected. However, a record who purchased what product, such as invoice or guarantee certificate, is stored somewhere else. Combination of this data sources can show many things about particular people. It is pseudo-anonymisation. Data with a potential to become personal data.

Brand protection may be a legitimate justification for personal data acquiring and storing but not always. GDPR includes the principle of „proportionality.“ Saving drugs or very expensive products may be the right justification but not anti-counterfeit protection of item for a few bucks.

In short-term view, it means that track&track systems need to be included in data protection impact analysis and their cybersecurity is critical.

In the long-term view, it is a strong argument for a move from track&trace to anti-counterfeit protection „a la banknote.“ Holding a banknote, you can identify authenticity or at least spot suspicious attributes and ask an expert. You need not know the history of the banknote. It is not important who owned this banknote and what he spent it for. Such way of protection is much more demanding regarding technology applied but can work well.

Optaglio covers both directions of brand protection with its anti-counterfeit portfolio.

For track&trace systems it delivers:

  • Numbered holograms
  • Comprehensive solution Optaglio OVImage for identification of individual products /documents /ID cards. It is based on unique (random) distribution of microholograms in a selected part of the item.

For protection through adding unimitable element it delivers:

Optaglio´s experts also design overall architecture of anti-counterfeit protection corresponding to the value of the protected item, the way of its using and customer expectations.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s