GDPR Pseudonymisation Benefits

Pseudonymisation, as newly defined under GDPR Article 4(5), helps to achieve Functional Separation to enable greater lawful data use and defeat unauthorised re-identification via the Mosaic Effect to:

 

Support Lawful Data Repurposing, Sharing and Combining

details
  • Lawful Repurposing, Sharing and Combining.
    • Pseudonymisation is explicitly highlighted in Article 6(4)(e) as an “appropriate safeguard” that can be used by data controllers “in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected.”
  • Protect Data In Use When Consent Is Not Enough.
    • Properly Pseudonymised data is recognized in the Article 29 Working Party Opinion 06/2014 as playing “…a role with regard to the evaluation of the potential impact of the processing on the data subject...tipping the balance in favour of the controller” to help support Legitimate Interest processing to protect data in use (see https://dataprotectionmagazine.com/?p=975 ).
    • The benefits of processing personal data using compliant Legitimate Interests processing as a legal basis under the GDPR include:
      • Under Article 17(1)(c), if a data controller can show they “have overriding legitimate grounds for processing” supported by technical and organizational measures to satisfy the balancing of interest test, they have greater flexibility in complying with Right to be Forgotten requests
      • Under Article 18(1)(d), a data controller has flexibility in complying with claims to restrict the processing of personal data if they can show they have technical and organizational measures in place so that the rights of the data controller properly override those of the data subject because the privacy rights of the data subject is protected.
      • Under Article 20(1), data controllers using Legitimate Interest processing are not subject to the right of portability, which applies only to consent-based processing.
      • Under Article 21(1), a data controller using Legitimate Interest processing may show they have adequate technical and organizational measures in place so that the rights of the data controller properly override those of the data subject because the rights of the data subjects are adequately protected. However, data subjects always have the right under Article 21(3) to not receive direct marketing outreach as a result of such processing.
 

Overcome Prohibitions Against Special Category Processing

details
  • Pseudonymisation helps to satisfy the Article 9(2)(g) exception to the general prohibition against the processing of special category data if the “processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.”
  • Pseudonymisation helps to satisfy the Article 9(2)(i) exception to the general prohibition against the processing of special category data if the “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.”
  • Pseudonymisation helps to satisfy the Article 9(2)(j) exception to the general prohibition against the processing of special category data if the “processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) [which explicitly cites Pseudonymisation] based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.”
 

Separate Processing Benefits From Re-Identification Obligations

details
  • Pseudonymisation helps to enable Article 11(2) relaxation of obligations to data subjects under Articles 15 (Right of Access by Data Subject), 16 (Right to Rectification), 17 (Right to Erasure - Right to be Forgotten), 18 (Right to Restriction of Processing), 19 (Notification Obligation Regarding Rectification or Erasure of Personal Data or Restriction of Processing), and 20 (Right to Data Portability) when processing does not require identification when the data controller is not in a position to identify data subjects and the controller has informed data subjects accordingly. Data controllers not in possession of “Additional Information” necessary for re-identification satisfy this requirement.
  • Pseudonymisation helps to enable Article 12(2) relaxation of obligations under Articles 15 (Right of Access by Data Subject), 16 (Right to Rectification), 17 (Right to Erasure - Right to be Forgotten), 18 (Right to Restriction of Processing), 19 (Notification Obligation Regarding Rectification or Erasure of Personal Data or Restriction of Processing), and 20 (Right to Data Portability) in addition to the relaxation of obligations under Articles 21 (Right to Object to Automated Decision-Making) and 22 (Automated Individual Decision-Making, Including Profiling) to provide transparent information, communication and modalities for the exercise of the rights of the data subject when the data controller can demonstrate it is not in a position to identify data subjects. Data controllers not in possession of “Additional Information” necessary for re-identification satisfy this requirement.
 

Maximise the Availability of Lawful Profiling and Digital Marketing

details
  • Pseudonymisation reduces the risk that profiling “produces legal effects concerning [data subjects] or similarly significantly affects [data subjects]” under Article 22(1) because it can be left up to the data subject whether to choose to participate in opportunities presented to them as a member of a Pseudonymised group.
  • Pseudonymisation reduces the risk that profiling “decision[s are made] based solely on automated processing” under Article 22(1) because it can be left up to the data subject whether to choose to participate in opportunities presented to them as a member of a Pseudonymised group.
  • Pseudonymisation helps to enable Article 22(2)(b) support for processing “authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests.”
  • Pseudonymisation helps to enable Article 22(4) allowance for decisions “based on special categories of personal data referred to in Article 9(1)” premised on Article 9(2)(g) Union or Member State laws by ensuring that “suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.”
 

Satisfy Data Protection by Design and by Default Obligations

details
  • Article 25(1) requires data controllers - for both primary and secondary processing - to “implement appropriate technical and organisational measures, such as pseudonymisation.”
  • Pseudonymisation helps data controllers to satisfy their obligations under Article 25(2) to “implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”
 

Reduce the Risk of Data Breach Liability Obligations and Liability

details
  • Article 32 explicitly recognises Pseudonymisation and encryption as measures “[t]aking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk."
  • Pseudonymisation helps to ensure that data breaches are “unlikely to result in a risk to the rights and freedoms of natural persons.” This would mean that an incident would not qualify as a data breach under GDPR and thus would not have to be notified to a supervisory authority under Article 33.
  • Pseudonymisation helps to ensure that data breaches are not “likely to result in a high risk to the rights and freedoms of natural persons.” This would mean that an incident would not qualify as a data breach under GDPR and/or (thus) would not have to be communicated to the data subject  under Article 34.
 

Improve Scalability of Data Protection Impact Assessments

details
  • Pseudonymisation helps to satisfy Article 35(3)(b) obligations when “processing on a large scale of special categories of data referred to in Article 9(1).”
  • Pseudonymisation helps to satisfy Article 35(8) creation of and adherence to “approved codes of conduct referred to in Article 40 by the relevant controllers or processors shall be taken into due account in assessing the impact of the processing operations performed by such controllers or processors, in particular for the purposes of a data protection impact assessment.”
  • Pseudonymisation helps to enable Article 35(10) elimination of separate data protection impact assessment obligations under Articles 35(1)-(7) “[w]here processing pursuant to point (c) or (e) of Article 6(1) has a legal basis in Union law or in the law of the Member State to which the controller is subject, that law regulates the specific processing operation or set of operations in question, and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis.”
 

8. Enable Benefits of Expanded Lawful Processing

details
  • Article 89(1) provides that “[p]rocessing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include Pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.”
  • Article 89(1) Pseudonymisation-enabled processing enables greater flexibility under:
    • Article 5(1)(b) with regard to purpose limitation;
    • Article 5(1)(e) with regard to storage limitation; and
    • Article 9(2)(j) with regard to overcoming the general prohibition on processing Article 9(1) special categories of personal data.
Contact Us To Learn More