Pseudonymisation is an established and accepted de-identification process that has gained additional attention following the adoption of the GDPR, where it is referenced as both a security and data protection by design mechanism. As a result, in the GDPR context, pseudonymisation can motivate the relaxation to certain degree of data controllers’ legal obligations if properly applied. In this report, we presented an overview on the notion and main techniques of pseudonymisation in correlation with its new role under GDPR.
Although the report does not seek to conduct a detailed analysis of the different aspects related to specific pseudonymisation methods and implementations, it touches upon some of the key issues in this regard. However, further research is needed, as well as practical experience, involving all stakeholders in the field. In this way, our work does not aim to conclude but rather to initiate a broader discussion on pseudonymisation under GDPR and its potential application in different scenarios, especially concerning best-practice techniques, use cases and practical examples.
In the following, we present our main conclusions to this end, together with specific recommendations for relevant stakeholders.
Pseudonymisation as a core data protection by design strategy
Pseudonymisation is clearly a process that can contribute towards data protection by design, especially by technically supporting a broader interpretation of the notion of data minimisation in the digital world 57. As an example, the potential use of pseudonymisation has been discussed, in cases where the data controller (while still being able to deliver a specific service) does not need to store the initial user identifiers. Such interpretation can greatly contribute towards the privacy-friendly operation of online systems and services, not only in the private, but also in the public sector (e.g. e-voting or e-petition systems). This approach, however, is highly relevant to the adoption by controllers of appropriate data protection by design frameworks, where data minimisation, also by means of pseudonymisation, is a core strategy.
Data controllers, as well as producers of products, services and applications, should adopt data protection as a key design approach in their processes; doing so, they should reassess their possibilities of implementing data minimisation by applying proper data pseudonymisation techniques.
Regulators (e.g. Data Protection Authorities and the European Data Protection Board) should promote the use of pseudonymisation as a core data protection by design strategy by further elaborating on its role under GDPR and providing relevant guidance to controllers.
Defining the state-of-the-art
Yet, the technical implementation of pseudonymisation is highly dependent on the state-of-the-art and the way that this is known and/or available to controllers. While not all pseudonymisation techniques are equally effective, there might be certain implementation challenges or limitations with regard to each technique. This is not only relevant to the choice of the technique itself, but also to the overall design of the pseudonymisation process, including especially the protection of the additional information (i.e. the information that allows for the association between pseudonyms and initial identifiers). The combination of pseudonymisation with other privacy enhancing technologies is also critical to enhance overall efficiency.
The research community should continue working on privacy and security engineering, including state-ofthe-art pseudonymisation (and anonymisation) techniques and their possible implementations, with the support of the EU institutions in terms of policy guidance and research funding.
Pseudonymisation best practices in the context of GDPR
Clearly pseudonymisation is not a prerequisite for all cases of personal data processing; hence, evaluating the relevant data protection risks (for each specific data processing case) is inherent to the decision on whether and how pseudonymisation can be implemented. Defining the goals and objectives of pseudonymisation in each particular case is central in this process. To this end, relevant best practices and examples of pseudonymisation in the context of GDPR can be of great value to controllers (as well as to producers of products, services and applications). For instance, it would be beneficial to point out any successful implementation, in the private or public sector, analyzing its key attributes, as well as the possibilities of data controllers to utilize the same model in the future.
Regulators (e.g. Data Protection Authorities and the European Data Protection Board) should discuss and promote good practices across the EU in relation to state-of-the-art solutions of pseudonymisation under GDPR. EU Institutions could promote such good practices.
The research community should work out best practices out of the pooled experience on pseudonymisation (and anonymisation) at DPAs level.
Transparency and well established procedures
As already mentioned, GDPR provides certain relaxation of some controllers’ obligations when pseudonymisation is applied. Moreover, the controllers are exempted from their obligations with regard to certain data subjects rights (articles 15-20 GDPR) when they are provably not in position to identify the data subjects. As this is a significant aspect of the GDPR’s implementation, further guidance (on the regulators side) and good management (on the controllers) side is essential.
Regulators (e.g. Data Protection Authorities and the European Data Protection Board) should provide guidance and best practices on the interpretation and practical implementation of the aforementioned provisions.
Data controllers should establish well-determined procedures to this end, as well as share information regarding pseudonymisation methods applied (and their overall data processing activities).