By continuing to use our site, you consent to the processing of cookies, user data (location information, type and version of the OS, the type and version of the browser, the type of device and the resolution of its screen, the source of where the user came from, from which site or for what advertisement, language OS and Browser, which pages are opened and to which buttons the user presses, ip-address) for the purpose of site functioning, retargeting and statistical surveys and reviews. If you do not want your data to be processed, please leave the site.

Delivering on the Promise of Synthetic Data

Norwegian data protection authority strongly recommends synthetic data for software testing

Authored: Dr. Khaled El Emam

According to the Norwegian data protection authority (DPA), Datatilsynet, an organization could have avoided a hefty GDPR fine if it had used synthetic instead of real data for software testing.

The Norwegian Confederation of Sport was fined an equivalent of US 140,000 or EUR 125,000 when it tested a solution that involved moving a large database from a physical server to the cloud, using real people’s data and exposing in error the personal information of 3.2 million Norwegians, including close to ½ million children. The personal information, which was available online for 87 days, included gender, date of birth, contact information and association affiliation.

In its report, the DPA strongly recommended using “fictitious data” or synthetic data for this kind of testing or using a smaller quantity of personal information as security measures to significantly mitigate the risks involved.

When the Global Privacy Assembly, which brings together DPAs from all over the world, met in October, I was invited to join a panel that explored innovations in data sharing, including synthetic data. This latest Norwegian case is yet another positive indication that the DPA community is becoming increasingly interested in and aware of synthetic data as a practical privacy enhancing technology.

The case brings to life recent predictions by Gartner that synthetic data will reduce the risks of privacy breaches and help organizations avoid privacy violation sanctions. It offers a helpful warning signal to those who continue to use real data for software testing and serves as a reminder that synthetic data can also be used to amplify smaller data sets to respect minimization principles.

You can read a summary of the Datatilsynet report here (in English) and the full report here  (in Norwegian only).