General Data Protection Regulation (GDPR)
General Provisions
Chapter 1

INTRODUCTION

1.1 BACKGROUND

Pseudonymisation is a well-known de-identification process that has gained additional attention following the adoption of GDPR, where it is referenced as both a security and data protection by design mechanism. In addition, in the GDPR context, pseudonymisation can motivate the relaxation, to a certain degree, of data controllers’ legal obligations if properly applied.

Given its growing importance for both data controllers and data subjects, ENISA published in 2018 [1] an overview of the notion and main techniques of pseudonymisation in correlation with its role under GDPR. In particular, starting from the definition of pseudonymisation (as well as its differences from other technologies, such as anonymisation and encryption), the report first discusses the core data protection benefits of pseudonymisation. Following this analysis, it then presents some techniques that may be utilised for pseudonymisation, such as hashing, hashing with key or salt, encryption, tokenization, as well as other relevant approaches. Last, certain applications of pseudonymisation are discussed, focusing especially on the area of mobile applications.

Although the aforementioned ENISA’s work touches upon some of the key pseudonymisation issues, further research and analysis is necessary both to reinforce the concept of pseudonymisation as a security measure (art. 32 of GDPR) and to shape its role as a data protection by design instrument (art. 25 of GDPR). Indeed, as also recognised in the ENISA’s report, there is a particular need to promote pseudonymisation best practices and provide use case examples that could support the definition of the “state-of-the-art” in the field.
Against this background, ENISA further elaborated under its 2019 work-programme on the practical application of data pseudonymisation3.

1.2 SCOPE AND OBJECTIVES

The overall scope of this report is to provide guidance and best practices on the technical implementation of data pseudonymisation.

More specifically, the objectives of the report are as follows:

  • Discuss different pseudonymisation scenarios and relevant actors involved.
  • Present possible pseudonymisation techniques in correlation with relevant adversarial and attack models.
  • Analyse the application of pseudonymisation to specific types of identifiers, in particular IP addresses, email addresses and other types of structured data sets (use cases).
  • Draw relevant conclusions and make recommendations for further work in the field.

It should be noted that the selection of the uses cases was based on the fact that the specific types of identifiers (IP addresses, email addresses, identifiers in structured data sets) represent quite common cases in several real-life scenarios. At the same time, the selected use cases also reflect diverse requirements with regard to pseudonymisation, i.e. arising from the strict format of IP addresses to the more flexible structure of email addresses and the unpredictable nature of larger datasets.

The target audience of the report consists of data controllers, data processors and producers of products, services and applications, Data Protection Authorities (DPAs), as well as any other interested party in data pseudonymisation.
The document assumes a basic level of understanding of personal data protection principles and the role/process of pseudonymisation. For an overview of data pseudonymisation under GDPR, please also refer to previous ENISA’s work in the field [1].

The discussion and examples presented in the report are only focused on technical solutions that could promote privacy and data protection; they should by no means be interpreted as a legal opinion on the relevant cases.

1.3 OUTLINE

The outline of the report is as follows:

  • Chapter 2 provides the terminology used in the remainder of the report with relevant explanatory remarks where needed.
  • Chapter 3 refers to the most common pseudonymisation scenarios that can be expected in practice.
  • Chapter 4 describes the possible adversarial and attack models with regard to pseudonymisation (and the previously described scenarios).
  • Chapter 5 presents the main pseudonymisation techniques and policies that are available today.
  • Chapters 6, 7 and 8 analyse the application of different pseudonymisation techniques to IP addresses, email addresses and more complex datasets (use cases).
  • Chapter 8 summarises the previous discussions and provides the main conclusions and recommendations for all related stakeholders.

This report is part of the work of ENISA in the area of privacy and data protection4, which focuses on analysing technical solutions for the implementation of GDPR, privacy by design and security of personal data processing.