DPO’s guide to Sarus

First, Sarus changes the paradigm: data never leaves its native environment. Instead, the queries are sent to the data for execution (a paradigm referred to as remote query execution). No more data copies, sharing or transfers are needed to get the insights from data! This means, the risk of a data breach or losing track of your data is mitigated.
Second, all query results are instantly rendered anonymous by Sarus: the data scientist never sees a piece of personal information!
This new approach allows to make any Analytics and AI workflow private-by-design.

No, working with Sarus’ privacy layer is based on the principle that, by default, no personal information is disclosed throughout all steps of Analytics or AI workflows.
However, a data owner can set an exception and allow to execute a specific computation  on the source data, which may lead to disclosure of a certain amount of personal information. Exceptions can be set up manually in the application, and Sarus provides guidelines on their use and associated risks.
Another case of disclosing some personal information would be a poor configuration of Sarus tools. We provide training and documentation to our clients to explain risks and best practices.

Sarus application is configured by default in a way that all the retrieved results are anonymous.
To reach this high standard, Sarus allows to retrieve only statistical and aggregate information. However, privacy research and real-word cases show that individuals can be re-identified using such statistical and aggregate information, in particular when it is combined with auxiliary information.
Sarus offers an additional layer of data protection to mitigate the risk of re-identification: Differential Privacy.
Differential Privacy is a rigorous mathematical definition of privacy that quantifies risk and provides a guarantee that no significant information related to a specific person can be distinguished in the query result. This allows to irreversibly prevent re-identification of individuals by singling out, linkability or inference, no matter what additional information an attacker may possess.
Sarus also makes available a fake (synthetic) dataset for each data project. Such synthetic dataset is also generated with Differential Privacy, and is therefore completely anonymous.
Although the definition of “anonymous information” may vary depending on the legislation, using Differential Privacy guarantees that no information related to a specific person can be found in the query result. Therefore, such a result satisfies even the most strict definition of “anonymous”.
Note that the data owner can allow to retrieve the query results produced without Differential Privacy, as an exception (see #2 above). In such a case, the data owner shall assess the corresponding risks and take decisions on a case-by-case basis. Sarus provides guidelines and training on the application configuration.

Sarus adopts a different approach to ensure privacy in Analytics & AI projects: never revealing source data and automatically protecting all outputs with Differential Privacy.
Such an approach allows to simplify compliance with GDPR, but also any other data protection regulation you may be subject to: CCPA, DPA 2018, PIPEDA, APPI, PDPB, etc.
Differential Privacy implementation allows to ensure that outputs meet the definition of “anonymous” under any regulation (see #2 above).This makes Sarus a perfect solution for global companies seeking a regulation-agnostic approach!

Once you identified the legitimate interest and justified that the processing is necessary to achieve the purpose, you have to balance your interests against data subjects’ rights and freedoms.
This is where Sarus can be extremely useful: remote query execution approach and query results protection by Differential Privacy ensure that no personal information is revealed throughout the processing. Data subject rights can be easily enforced (see #6 below).

Yes. Working with Sarus means no copies of data! It therefore simplifies the chase for DSR enforcement: in case of a rectification or erasure request, you just need to update the source database!
What about the results retrieved by data scientists?
All analytics and AI results are made anonymous with Sarus, all synthetic data generated in the Sarus application is anonymous, too. Therefore, your data subject rights can be easily enforced with no impact on the insight generated with Sarus.

Sarus software is installed on the data owner’s infrastructure, within the same environment where the data is located. The software is granted read-access to the selected data, to be able to process queries. Processing may happen either directly on the database or on the machine where the Sarus software is installed. The data is never copied outside of your secured infrastructure.

No, Sarus employees do not have access to the Sarus server, Sarus interface, nor to the source data. The application is installed on-premises and fully managed by the data owner. An access to Sarus servers or interface may be granted to Sarus employees to facilitate maintenance, but is optional.

Processing with Sarus requires involvement of at least two persons: application administrator who will set up the application, and data scientists who will send queries. Sometimes a person in charge of connecting data to Sarus may be involved, but these functions can also be performed by the application administrator.
The table below defines the Sarus application roles and corresponding risks: