One of the EU Commission’s stated aims in drafting the General Data Protection Regulation was to update and modernise the EU data protection regime to account for new kinds of potentially identifying information. In today’s digital world, GDPR asks questions about the nature of personal data and whether it can anonymised?
So what is pseudonymisation?
The GDPR defines pseudonymisation as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” To pseudonymise a data set, the “additional information” must be “kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable person.” In short, it is a privacy-enhancing technique where directly identifying data is held separately and securely from processed data to ensure non-attribution.
So what is it not?
The GDPR for the first time introduces the concept of “data protection by design” as a legal requirement. Data protection by design means that privacy should be a feature of the development of a product or solution, rather than something that is added on as a feature. The GDPR requires controllers to implement appropriate safeguards “both at the time of the determination of the means for processing and at the time of the processing itself.” One way that controllers can do this is by pseudonymising personal data. Therefore, data controllers can use pseudonymisation to help meet the GDPR’s data security requirements. From a systems perspective, controllers are required to implement risk-based measures for protecting data security.
Pseudonymous data IS NOT ANONYMOUS by default!
Just because data is pseudonymous it does not mean that the data is anonymous. Ira and Woodrow have explained in their research paper that “true anonymization” is a myth at best or very difficult to achieve. If your data can in any shape or form, combined with other data sets, lead to the identification of the individual, then your data is subject to GDPR. To help you address this issue, the GDPR adopts a flexible approach than the traditional black and white stance taken by the ICO and focuses on the risk that data will reveal identifiable individuals. Thus, the key distinction between pseudonymous data, which is regulated by the GDPR, and anonymous data, which is not, is whether the data can be re-identified with reasonable effort.
So, remember, pseudonymised data is not by default anonymous if that data can be used in conjunction with other data sets to identify an individual.
Here’s where we can help:
Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at firstname.lastname@example.org or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.