OK, I'm confused. Rabobank obviously knows who its users are. I mean, it's a bank. And there are laws about knowing who account holders are. So this apparently replaces actual with pseudonymous data in some contexts. For transmission through the Internet, I gather. So MitM attacks wouldn't reveal actual account information. But what about data stored by Rabobank? Maybe there's a less secure database that contains only pseudonymous data. But the real data must also be stored somewhere. And isn't that real data still subject to GDPR?
Answer - yes. This seems a bit like attempts at health-data anonymisation, ultimately you have to have a lookup which allows interrogation of the real data and the real person - and how do you keep that safe? I think this is more like a defence that you are following industry best practices (actually well exceeding them), in keeping the data as safe as possible. The reality is that encrypted databases are not a solved problem, particularly if you want search to be possible (you do!). Personally, I think you're better off with operational and audit controls, and application level firewalls to ensure that exfiltration is not going to be bulk datasets (minimising any loss), and that there is an audit trail back to the user (with cryptographic access controls). The industry "problem" is that this takes money and time and there is little incentive to do so. Even with the banks, you just have to be better than the run-of-the-mill dreadful.
