Blog

Date
May 18, 2021
 
Written by
Gary LaFever
10 Truths About GDPR Pseudonymisation

10 Truths About GDPR Pseudonymisation

Few concepts within the GDPR are as misunderstood as pseudonymisation.[1]

For example, despite common belief to the contrary, the benefits of GDPR-compliant pseudonymisation extend well beyond preventing unauthorized use of personal data. It is also a very effective means of achieving data-driven business goals, often working better than anonymisation.

For example, the EDPB highlighted GDPR-compliant pseudonymisation as a means of complying with Schrems II requirements for the lawful transfer and processing of personal data.[2]

Steffen Weiss, legal counsel at the German Association for Data Protection and Data Security[3], and Gary LaFever, CEO and General Counsel at Anonos, recorded a video discussing how pseudonymisation helps to achieve various objectives, including lawful international data transfers.

Here are the ten truths they discussed regarding what pseudonymisation is (and is not) and how it enables you to achieve GDPR compliance and derive business benefits.



Truth #1: GDPR Pseudonymisation Is Not the Same as Anonymisation

Whereas anonymisation under GDPR requires that the data is deidentified irreversibly and even the data controller itself cannot re-link the data to individuals,[4] GDPR-compliant pseudonymisation can be achieved if the data cannot be re-linked to a specific individual without combining it with additional information that is kept separately.[5]


Truth #2: GDPR Pseudonymisation Is a Higher Standard Than Pre-GDPR Pseudonymisation

Contrary to prior legal regimes[6] where replacing the direct identifiers such as names, social security numbers, and addresses with pseudonym tokens were sufficient, GDPR sets a higher standard for pseudonymisation because:

  • Organizations must demonstrate that re-linking to individuals is not possible without additional information, and this information is kept separately.
  • Organizations should implement necessary safeguards to prevent “unauthorized reversal of pseudonymisation”[7] without access to this additional information, including advanced organizational and technical controls.

Truth #3: GDPR Pseudonymisation Is Not Failed Anonymisation

Some organizations have the misconception that if they aim for anonymisation of personal data and fail, they will somehow achieve the pseudonymisation of data along the way as it is a lower threshold compared to anonymisation.

However, pseudonymisation can be easily more complex to implement successfully than anonymisation because it requires an envisioned plan to re-link personal data using separately stored additional information later on by the data controller.

Furthermore, the requirement to implement necessary safeguards such as encryption or hashing of pseudonymisation keys to prevent reversal of pseudonymisation adds to the sophistication of the solution.


Truth #4: GDPR Pseudonymisation Requires Protection of More Than Direct Identifiers

In addition to direct identifiers such as names, phone numbers, or e-mail addresses, indirect identifiers such as tax ID, insurance numbers, content data, and information related to characteristics and behavior will also have to be pseudonymised because they may easily enable the identification of specific individuals.


Truth #5: GDPR Pseudonymisation Provides More Value Than Anonymisation

Anonymising personal data to escape the requirements of the GDPR is “too cheap a trick” for innovative organizations because anonymisation is highly unlikely to be achieved in the current Big Data landscape. Proper anonymisation also reduces the business value of personal data.

GDPR pseudonymisation, on the other hand, involves the use of sophisticated controls without compromising the value of personal data. For example in healthcare industry – clinical trials – the pseudonymisation of patient data enables the assessment of blood samples effectively in a privacy-preserving manner.


Truth #6: GDPR Pseudonymisation Requires Dynamism

The use of persistent (or static unchanging) tokens for attempted pseudonymisation exposes organizations to higher risks because unauthorized third parties can more easily re-link obscured data values within and between data sets due to the mosaic effect (a situation in which information in an individual dataset, in isolation, may not pose a risk of identifying an individual, but when combined with other available information could pose such a risk).

To implement pseudonymisation in a GDPR-compliant way, organizations should assign different tokens to each direct and indirect identifier for different purposes and for different times and even for different parties, to whom the data is transferred.

The proper use of dynamic tokens eliminates the risk of re-identification without the use of additional information; achieving GDPR compliance.


Truth #7: GDPR Pseudonymisation Helps Satisfy Schrems II Requirements for Technical Supplementary Measures

The risk of identifying EU data subjects by US authorities was one of the main reasons behind the invalidation of Privacy Shield in Schrems II.[8] As a result, data controllers have to implement supplementary measures to ensure an equivalent level of protection for lawful data transfer.

When implemented correctly, GDPR-compliant pseudonymisation of personal data ensures that only the data controller can re-link the data to specific individuals with exclusive access to additional information and that unauthorized third parties cannot re-identify individuals.


Truth #8: GDPR Pseudonymisation Enables EU-Based Redress for Failure to Properly Pseudonymised Data

Under GDPR, if there is a breach in user privacy arising out of improperly pseudonymised data, EU subjects have access to legal recourse within the jurisdiction of the EU, without having to rely on legal mechanisms outside of the EU for redress.


Truth #9: GDPR Pseudonymisation Is an Example of Distributed Trust Controls to Enable Trusted Data

We live in a data economy where cross-border sharing of personal data across all industries with numerous stakeholders such as intermediaries, cloud providers, and controllers is ubiquitous.

GDPR-compliant pseudonymisation can play a crucial role in streamlining the flow of personal data across different stakeholders.

For example, pseudonymisation can enable reliance on legitimate interests under GDPR to enable lawful secondary processing for analytics, AI and ML, and compliant sharing and combining of personal data.


Truth #10: GDPR Pseudonymisation Enables Many Statutory Benefits

There is more to the pseudonymisation of personal data than just achieving data security.

GDPR statutory benefits of compliant pseudonymisation include:

●     Transferring personal data to third countries (including secondary processing in US-operated clouds) in compliance with Schrems II thanks to effective technical supplementary measure

●     Relying on Legitimate Interests ground under article 6 of the GDPR as pseudonymisation protects interests of data subjects and tip the balance in favor of the data controller for desired processing

●     Enables further processing of personal data for compliant analytics, AI and ML.

Pseudonymisation can not only help data controllers comply with GDPR regulations, but it can also enable a host of GDPR statutory benefits such as:

i. Tip the balance in favor of Legitimate Interests processing (GDPR Articles 5(1)(a) and 6(1)(f) and WP 217)

ii. Allow more flexible change of purpose (GDPR Article 5(1)(b) and WP 203)

iii. Allow more expansive data minimisation (GDPR Articles 5(1)(c) and 89(1))

iv. Allow more flexible storage limitation (GDPR Articles 5(1)(e) and 89(1))

v. Provide enhanced security (GDPR Articles 5(1)(f) and 32)

vi. Facilitate more expansive further processing (GDPR Article 6(4) and WP 217)

vii. Allow more flexible profiling (WP 251 rev.01 - Annex 1 and GDPR Recital 71 and Article 22

viii. Allow lawful sharing and combining of data (GDPR Recitals 42 and 43, Articles 11(2) and 12(2), and EDPB Guidelines 05/2020


[1] GDPR Article 4(5) defines Pseudonymisation as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”

[2] See EDPB Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data at paragraph 80.

[3] The German Association for Data Protection and Data Security (GDD or Gesellschaft für Datenschutz und Datensicherheit e.V.) was founded in 1976 and stands as a non-profit organization for practicable and effective data protection. The GDD interacts with government officials, data protection authorities, associations and privacy experts worldwide. See https://www.gdd.de/international/english

[4] The European Data Protection Supervisor (EDPS) and the Spanish Agencia Española de Protección de Datos (AEPD) jointly held that “anonymisation procedures must ensure that not even the data controller is capable of re-identifying the data holders in an anonymised file.” See https://edps.europa.eu/sites/edp/files/publication/19-10-30_aepd-edps_paper_hash_final_en.pdf. See also Anonymising Personal Data ‘Not Enough to Protect Privacy’, Shows New Study at https://www.imperial.ac.uk/news/192112/anonymising-personal-data-enough-protect-privacy/

[5] See Supra, Note 1

[6] Many people who believe they “know” about Pseudonymisation are only aware of the term as discussed in Opinion 05/2014 on Anonymisation techniques (“Opinion 05/2014”). This 2014 definition of Pseudonymisation does not match the new definitional requirements for GDPR-compliant Pseudonymisation under Article 4(5).

[7] See GDPR Recitals 75 and 85.

[8] See Judgment of the Court of Justice of 16 July 2020, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, C-311/18

This article originally appeared on LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.