EXECUTIVE SUMMARY

Pseudonymisation is an established and accepted de-identification process that has gained additional attention following the adoption of the General Data Protection Regulation (GDPR) 1, where it is referenced as both a security and data protection by design mechanism. As a result, in the GDPR context, pseudonymisation can motivate the relaxation to a certain degree of data controllers’ legal obligations if properly applied.

In this report, we present an overview of the notion and main techniques of pseudonymisation in correlation with its new role under GDPR.

In particular, starting from the definition of pseudonymisation (as well as its differences from other key techniques, such as anonymization and encryption), the report first discusses its core data protection benefits. Following this analysis, the report then addresses some techniques that may be utilised for pseudonymisation, such as hashing, hashing with key or salt, encryption and other cryptographic mechanisms, tokenization, as well as other relevant approaches. Last, certain pseudonymisation use cases and best practices are discussed, focusing especially on the area of mobile apps and revisiting some of the earlier discussed techniques.

Although the report does not seek to conduct a detailed analysis of the different aspects related to specific pseudonymisation methods and implementations, it touches upon some of the key issues in this regard. However, further research is needed, as well as practical experience, involving all stakeholders in the field.

To this end, the main conclusions and recommendations of the report are presented below.

Pseudonymisation as a core data protection by design strategy

Pseudonymisation can clearly contribute towards data protection by design, especially by technically supporting a broader interpretation of the notion of data minimisation in the digital world. This approach, however, is highly relevant to the adoption by data controllers of appropriate data protection by design frameworks, where data minimisation, also by means of pseudonymisation, is a core strategy.

Data controllers, as well as producers of products, services and applications, should adopt data protection as a key design approach in their processes; doing so, they should reassess their possibilities of implementing data minimisation by applying proper data pseudonymisation techniques.

Regulators (e.g. Data Protection Authorities and the European Data Protection Board) should promote the use of pseudonymisation as a core data protection by design strategy by further elaborating on its role under GDPR and providing relevant guidance to controllers.

Defining the state-of-the-art

The technical implementation of pseudonymisation is highly dependent on the state-of-the-art and the way that this is known and/or available to controllers. The combination of pseudonymisation with other privacy enhancing technologies is also critical to enhance overall efficiency.

The research community should continue working on privacy and security engineering, including state-ofthe-art pseudonymisation (and anonymisation) techniques and their possible implementations, with the support of the European Union (EU) institutions in terms of policy guidance and research funding.

Pseudonymisation best practices in the context of GDPR

Clearly, pseudonymisation is not a prerequisite for all cases of personal data processing; hence, evaluating the relevant data protection risks (for each specific data processing case) is inherent to the decision on whether and how pseudonymisation can be implemented.

Regulators (e.g. Data Protection Authorities and the European Data Protection Board) should discuss and promote good practices across the EU in relation to state-of-the-art solutions of pseudonymisation under GDPR. EU Institutions could promote such good practices.

The research community should work out best practices out of the pooled experience on pseudonymisation (and anonymisation) at DPAs level.

Transparency and well established procedures

GDPR provides a certain relaxation of some controllers’ obligations when pseudonymisation is applied. As this is a significant aspect of the GDPR’s implementation, further guidance (on the regulators side) and good management (on the controllers side) is essential.

Regulators (e.g. Data Protection Authorities and the European Data Protection Board) should provide guidance and best practices on the interpretation and practical implementation of the aforementioned provisions.

Data controllers should establish well-determined procedures to this end, as well as share information regarding pseudonymisation methods applied (and their overall data processing activities).