Date
May 18, 2021
 
Written by
Gary LaFever

10 TRUTHS ABOUT GDPR PSEUDONYMISATION

Few concepts within the GDPR are as misunderstood as Pseudonymisation.[1] For example, despite common belief to the contrary, the benefits of GDPR-compliant Pseudonymisation extend well beyond preventing unauthorised use of personal data. It is also a very effective means of achieving data-driven business goals, often working better than anonymisation. For example, the EDPB highlighted GDPR-compliant Pseudonymisation as a means of complying with Schrems II requirements for the lawful transfer and processing of personal data.[2]

Steffen Weiss, legal counsel at the German Association for Data Protection and Data Security[3], and Gary LaFever, CEO and General Counsel at Anonos, recorded a video discussing how Pseudonymisation helps to achieve various objectives, including lawful international data transfers. Here are the ten truths they discussed regarding what Pseudonymisation is (and is not) and how it enables you to achieve GDPR compliance and derive business benefits.



TRUTH #1: GDPR PSEUDONYMISATION IS NOT THE SAME AS ANONYMISATION

Whereas anonymisation requires that the data is deidentified irreversibly and even the data controller itself cannot re-link the data to individuals,[4] GDPR-compliant Pseudonymisation can be achieved if the data cannot be re-linked to a specific individual without combining it with additional information that is kept separately.[5]


TRUTH #2: GDPR PSEUDONYMISATION IS A HIGHER STANDARD THAN PRE-GDPR PSEUDONYMISATION

Contrary to prior legal regimes[6] where replacing the direct identifiers such as names, social security numbers, and addresses with pseudonym tokens were sufficient, GDPR sets a higher standard for Pseudonymisation because:

  • Organisations must demonstrate that re-linking to individuals is not possible without additional information, and this information is kept separately.
  • Organisations should implement necessary safeguards to prevent “unauthorised reversal of Pseudonymisation”[7] without access to this additional information, including advanced organisational and technical controls.

TRUTH #3: GDPR PSEUDONYMISATION IS NOT FAILED ANONYMISATION

Some organisations have the misconception that if they aim for anonymisation of personal data and fail, they will somehow achieve the Pseudonymisation of data along the way as it is a lower threshold compared to anonymisation.

However, Pseudonymisation can be easily more complex to implement successfully than anonymisation because it requires an envisioned plan to re-link personal data using separately stored additional information later on by the data controller. Furthermore, the requirement to implement necessary safeguards such as encryption or hashing of Pseudonymisation keys to prevent reversal of Pseudonymisation adds to the sophistication of the solution.


TRUTH #4: GDPR PSEUDONYMISATION REQUIRES PROTECTION OF MORE THAN DIRECT IDENTIFIERS

In addition to direct identifiers such as names, phone numbers, or e-mail addresses, indirect identifiers such as tax ID, insurance numbers, content data, and information related to characteristics and behaviour will also have to be Pseudonymised because they may easily enable the identification of specific individuals.


TRUTH #5: GDPR PSEUDONYMISATION PROVIDES MORE VALUE THAN ANONYMISATION

Anonymising personal data to escape the requirements of the GDPR is “too cheap a trick” for innovative organisations because anonymisation is highly unlikely to be achieved in the current Big Data landscape. Proper anonymisation also reduces the business value of personal data.

GDPR Pseudonymisation, on the other hand, involves the use of sophisticated controls without compromising the value of personal data. For example, in clinical trials, the Pseudonymisation of patient data enables the assessment of blood samples effectively in a privacy-preserving manner.


TRUTH #6: GDPR PSEUDONYMISATION REQUIRES DYNAMISM

The use of persistent (or static unchanging) tokens for attempted pseudonymisation exposes organisations to higher risks because unauthorised third parties can more easily re-link obscured data values within and between data sets due to the mosaic effect.[8]

To implement Pseudonymisation in a GDPR-compliant way, organisations should assign different tokens to each direct and indirect identifier for different purposes and for different times and even for different parties, to whom the data is transferred.

The proper use of dynamic tokens eliminates the risk of re-identification without the use of additional information; achieving GDPR compliance.


TRUTH #7: GDPR PSEUDONYMISATION HELPS SATISFY SCHREMS II REQUIREMENTS FOR TECHNICAL SUPPLEMENTARY MEASURES

The risk of identifying EU data subjects by US authorities was one of the main reasons behind the invalidation of Privacy Shield in Schrems II.[9] As a result, data controllers have to implement supplementary measures to ensure an equivalent level of protection for lawful data transfer.

When implemented correctly, GDPR-compliant Pseudonymisation of personal data ensures that only the data controller can re-link the data to specific individuals with exclusive access to additional information and that unauthorised third parties cannot re-identify individuals.


TRUTH #8: GDPR PSEUDONYMISATION ENABLES EU-BASED REDRESS FOR FAILURE TO PROPERLY PSEUDONYMISE DATA

 Under GDPR, if there is a breach in user privacy arising out of improperly Pseudonymised data, EU subjects have access to legal recourse within the jurisdiction of the EU, without having to rely on legal mechanisms outside of the EU for redress.


TRUTH #9: GDPR PSEUDONYMISATION IS AN EXAMPLE OF DISTRIBUTED TRUST CONTROLS TO ENABLE TRUSTED DATA

We live in a data economy where cross-border sharing of personal data across all industries with numerous stakeholders such as intermediaries, cloud providers, and controllers is ubiquitous.

GDPR-compliant Pseudonymisation can play a crucial role in streamlining the flow of personal data across different stakeholders. For example, Pseudonymisation can enable reliance on legitimate interests under GDPR to enable lawful secondary processing for analytics, AI and ML, and compliant sharing and combining of personal data.


TRUTH #10: GDPR PSEUDONYMISATION ENABLES MANY STATUTORY BENEFITS

There is more to the Pseudonymisation of personal data than just achieving data security.

GDPR statutory benefits of compliant Pseudonymisation include:

●     Transferring personal data to third countries (including secondary processing in US-operated clouds) in compliance with Schrems II thanks to effective technical supplementary measure;

●     Relying on Legitimate Interests ground under article 6 of the GDPR as Pseudonymisation protects interests of data subjects and tip the balance in favour of the data controller for desired processing;

●     Enables further processing of personal data for compliant analytics, AI and ML.

Pseudonymisation can not only help data controllers comply with GDPR regulations, but it can also enable a host of GDPR statutory benefits such as:

i. Tip the balance in favour of Legitimate Interests processing (GDPR Articles 5(1)(a) and 6(1)(f) and WP 217)

ii. Allow more flexible change of purpose (GDPR Article 5(1)(b) and WP 203)

iii. Allow more expansive data minimisation (GDPR Articles 5(1)(c) and 89(1))

iv. Allow more flexible storage limitation (GDPR Articles 5(1)(e) and 89(1))

v. Provide enhanced security (GDPR Articles 5(1)(f) and 32)

vi. Facilitate more expansive further processing (GDPR Article 6(4) and WP 217)

vii. Allow more flexible profiling (WP 251 rev.01 - Annex 1 and GDPR Recital 71 and Article 22

viii. Allow lawful sharing and combining of data (GDPR Recitals 42 and 43, Articles 11(2) and 12(2), and EDPB Guidelines 05/2020

INTERESTED IN LEARNING MORE ABOUT PSEUDONYMISATION UNDER THE GDPR?

Watch the complete video discussion between Steffen Weiss (GDD) and Gary LaFever (Anonos) at: https://www.anonos.com/top-ten-truths-about-gdpr-pseudonymisation

The EDPB recommends the use of Pseudonymisation (visit: www.Pseudonymisation.com) as an appropriate technical measure to protect data when in use, such as for transfer, processing, and analysis of data that is connected to the US (either through US-provided cloud companies or US-associated companies located in the EU). By following EDPB recommendations organisations can continue to transfer and process data, without facing the same consequences as Facebook.

GDPR-Pseudonymisation enables functional separation of information value (the reason the processing desired) from identity so that the two can be controllably processed separately and combined only when/if required and lawfully permitted, with auditability of the process as well.

ANONOS WEBINAR COVERS EDPB GUIDELINES

The final guidance of the EDPB (which is expected to confirm their preliminary guidance) will be released shortly, and Anonos is offering a webinar to unpack this guidance and discuss the next steps. To pre-register for the webinar (the date and time of which will be announced as soon as final guidance comes out), click here: www.SchremsII.com/Webinar5

CONTACT ANONOS FOR TECHNICAL SUPPLEMENTARY MEASURES

To implement EDPB Guidelines such as GDPR-Pseudonymisation, contact Anonos to immediately set up the Quick Start software package for your organisation. The Quick Start package allows you to implement technology that delivers GDPR-compliant distributed trust controls. This package allows you to comply with Schrems II so that processing can continue. In addition, Anonos Variant Twin technology provides more than just protection and allows expansion of your typical use cases to enable greater use, accuracy, sharing and combining of data along your entire data value use chain.


[1] GDPR Article 4(5) defines Pseudonymisation as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”

[2] See EDPB Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data at paragraph 80.

[3] The German Association for Data Protection and Data Security (GDD or Gesellschaft für Datenschutz und Datensicherheit e.V.) was founded in 1976 and stands as a non-profit organization for practicable and effective data protection. The GDD interacts with government officials, data protection authorities, associations and privacy experts worldwide. See https://www.gdd.de/international/english

[4] The European Data Protection Supervisor (EDPS) and the Spanish Agencia Española de Protección de Datos (AEPD) jointly held that “anonymisation procedures must ensure that not even the data controller is capable of re-identifying the data holders in an anonymised file.” See https://edps.europa.eu/sites/edp/files/publication/19-10-30_aepd-edps_paper_hash_final_en.pdf. See also Anonymising Personal Data ‘Not Enough to Protect Privacy’, Shows New Study at https://www.imperial.ac.uk/news/192112/anonymising-personal-data-enough-protect-privacy/

[5] See Supra, Note 1

[6] Many people who believe they “know” about Pseudonymisation are only aware of the term as discussed in Opinion 05/2014 on Anonymisation techniques (“Opinion 05/2014”). This 2014 definition of Pseudonymisation does not match the new definitional requirements for GDPR-compliant Pseudonymisation under Article 4(5).

[7] See GDPR Recitals 75 and 85.

[8] See https://mosaiceffect.com.

[9] See Judgement of the Court of Justice of 16 July 2020, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, C-311/18

This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.

CLICK TO VIEW CURRENT NEWS