Guide
Levels of data-sharing risk mitigation
If personal data is involved in a collaborative solution, then usually (processed) personal data will also need to leave the premises in some form. PETs generally handle this data in some encrypted or aggregated form that greatly reduces the risk of data subject identification and data breaches. They are therefore also a measure adding to the obligation for taking sufficient technical measures preventing personal data security breaches.
PETs ensure varying levels of risk mitigation. Some technologies provide mathematical guarantees of the security that they provide and the types of attacks that they protect against. Some PETs provide protection in many scenarios, some against few. Often, however, it is hard to provide formal, generic guarantees and an assessment should be conducted for the specific challenge at hand. It is important to be aware of these differences both from a technical and from a legal perspective; if one PET does not adhere to your constraints, there might be another one that does. Also, in the legal assessment, it is important to be aware of the security scenarios and the fact that PETs provide different levels of protection.
To get a better feel of security scenarios, please refer to Appendix B and Appendix C.
Unfortunately, as the security requirements grow the pool of feasible technologies shrinks. If your solution requires data sharing in e.g., an aggressive, competitive environment, it might be that only few PETs satisfy your criteria. In that case it may help to explore various routes: stronger PETs, in combination with organisational measures or legal agreements that mitigate part of the risks. Perhaps a slight alteration to your proposed solution results in the exchange of less sensitive information (e.g., computations performed by another party). In the end, risks can be mitigated in various ways and keeping a wider view of the possibilities helps finding the best solution to your challenge.