In the light of GDPR, the challenge of proper application of pseudonymisation to personal data is gradually becoming a highly debated topic in many different communities, ranging from research and academia to justice and law enforcement and to compliance management in several organisations in Europe. In this report, some basic notions have been introduced, alongside with relevant definitions, techniques, attacks, and countermeasures to support this envisaged future interdisciplinary discourse.
As shown in the report, the field of data pseudonymisation in complex information infrastructures is a challenging one, with a high dependency on matters of context, involved entities, data types, background information, and implementation details. Indeed, there is no single, easy solution to pseudonymisation that works for all approaches in all possible scenarios. On the contrary, it requires a high level of competence in order to apply a robust pseudonymisation process, best-possibly reducing the threat of discrimination or reidentification attacks, while maintaining the degree of utility necessary for the processing of the pseudonymised data.
To this end, based on the analysis provided earlier in the report, in the following some basic conclusions and recommendations are drawn for all relevant stakeholders as regards the practical adoption and implementation of data pseudonymisation.
A RISK-BASED APPROACH TOWARDS PSEUDONYMISATION
Although all known pseudonymisation techniques have their own, well-understood, intrinsic properties, this does not render the choice of the proper approach a trivial task in practice. A careful examination of the context that the pseudonymisation is to be applied needs to take place, considering all the desired pseudonymisation goals for the specific case (by whom the identities need to be hidden, which is the desired utility for the derived pseudonyms, etc.), as well as the ease of the implementation. A risk-based approach needs, thus, to be adopted with respect to the choice of the proper pseudonymisation technique, so as to properly assess and mitigate the relevant privacy threats. Indeed, simply protecting the additional data that are required for re-identification, although it is prerequisite, does not necessarily ensure the elimination of all risks.
Data controllers and processors should carefully consider the implementation of pseudonymisation following a risk-based approach, taking into account the purpose and overall context of the personal data processing, as well as the utility and scalability levels they wish to achieve.
Producers of products, services and applications should provide adequate information to controllers and processors regarding their use of pseudonymisation techniques and the security and data protection levels that these provide.
Regulators (e.g. Data Protection Authorities and the European Data Protection Board) should provide practical guidance to data controllers and processors with regard to the assessment of the risk, while promoting best practices in the field of pseudonymisation.
DEFINING THE STATE-OF-THE-ART
In order to support a risk-based approach for pseudonymisation, the definition of the state-of-theart in the field is essential. Indeed, while, as shown in this report, there are several pseudonymisation techniques available, the practical application of these techniques may vary, e.g. between different types of identifiers or datasets. To this end, it is important to work towards specific use cases and examples, providing more details and possible options regarding the technical implementation of pseudonymisation.
The European Commission and the relevant EU institutions should support the definition and dissemination of the state-of-the-art in pseudonymisation, in co-operation with the research community and industry in the field.
Regulators (e.g. Data Protection Authorities and the European Data Protection Board) should promote the publication of best practices in the field of pseudonymisation.
ADVANCING THE STATE-OF-THE-ART
In this report, the main focus was on the basic pseudonymisation techniques that are available today for use by controllers and processors. Still, for more complex scenarios (which, as shown in the report, are quite often in practice), the use of more advanced (and robust) techniques, such as those arising from the area of anonymisation, will become increasingly needed. Even more, the very notion of anonymisation needs to be revisited, as the adversarial models are evolving (and, thus, anonymisation is becoming more and more challenging in real case scenarios).
The research community should work out on extending the current pseudonymisation techniques to more advanced solutions effectively addressing special challenges appearing in the big data era. The European Commission and the relevant EU institutions should support and disseminate these efforts.