Pseudonymisation Podcast
Timely discussions with industry experts about the requirements for and the benefits of Pseudonymisation
Episode No. 1
Top five action items from the Pseudonymisation Webinar
View Transcript
Pseudonymisation Podcast
Episode No. 1: What is Pseudonymisation before and after the GDPR?
Gary LaFever (Anonos)
We'd like to welcome everyone to the inaugural podcast for Pseudonymisation. And through this, we hope to look through the lens of Pseudonymisation and a number of different both business and legal objectives that it helps to achieve. No one on this call is going to claim that Pseudonymisation is a silver bullet, a golden shield, or a magic wand. But it actually has a different meaning and impact than it might have in the past, and that's what the discussion today is about. So, we have with us today Andy Splittgerber and Cynthia O'Donoghue from Reed Smith and also Magali Feys from AContrario. My name is Gary LaFever and I’m with Anonos, and this discussion is going to be about Pseudonymisation - what is it, what isn’t it, what was it, and what could it be.
So, I would just like to open the discussion because Cynthia was sharing earlier that she went to a seminar that the ICO held before the GDPR, and the discussion was whether or not Pseudonymisation was merely a security technique and compare that with the recent draft guidance from the ICO where they make the point that there are different types of Pseudonymisation. But to achieve the statutory definition under the UK GDPR and therefore the statutory benefits, you have to satisfy certain criteria, many of which had been set out by the European Cybersecurity Agency (ENISA). And so, Cynthia, if you just want to kind of share the tenor and the topic of that discussion, which I believe is actually what many people still think Pseudonymisation is today.
Cynthia O'Donoghue
Yeah. Basically, it was kind of teeing up discussions for implementation of GDPR. So, the law had already been issued, but it hadn't yet gone into effect. And the view was that Pseudonymisation had always been treated as a security, like a Privacy Enhancing Technique (PET), and the view was it should still be treated that way. I think the majority in the room of participants felt that that is what it should be. It's removal of direct identifiers. It's essentially taking a data set and reducing it and obscuring any form of direct identifiers so that the data is treated as pseudonymised as opposed to fully identifiable.
Gary LaFever (Anonos)
And the ICO prior language regarding Pseudonymisation reflected that. And yet, the most recent shows that if you want the statutory definition of benefits, it has higher standards. Maggie, do you want to just kind of give your perspective on what those higher standards are?
Magali Feys (AContrario)
Yeah. Well, indeed, I agree with Cynthia that as we have seen pre-GDPR, it was definitely more a privacy enhancement technique and replacing direct identifiers with tokens. And what I always found it was applied to individual fields independently within a data set and that is on the data set as a whole. Whilst if you look at the definition of Pseudonymisation in the GDPR and that’s Article 4(5), it really requires that you separate the information value of the data from the identity of the data subject and that the additional information should be securely stored, which is then necessary and only based with or on that additional information, you should be able to re-identify the data subjects and this is under controlled conditions. So, if you look at that definition and in order to also implement it in practice, I think that it's now really defined not any more as an individual technique, but as an outcome on the data sets as a whole. And not only requires protecting the direct identifiers but also the indirect identifiers.
Gary LaFever (Anonos)
Maggie, that would be the case because I think most of us would agree there are a lot of studies and results out there that data that was held to be “anonymous” or obscured can easily and quickly be re-identified through combination, inferences, and correlations of the indirect identifiers. Is that what you're saying that in order to satisfy the Article 4(5) definition that you would have to protect both direct and indirect?
Magali Feys (AContrario)
Indeed. If you then look, for example, at recommendations of the EDPB on the Schrems II, which goes to Pseudonymisation, we see a number of elements they put forward. They also say you can't only protect the particular fields, but the data set as a whole. They also say you have to protect it from singling out data subjects in the larger group, and this is by actually using K-anonymity or aggregation almost mandatory. And what we also see is that they require the need for dynamism because we all know about the Harvard Mosaic Effect study that it’s easy to combine the data sets, which you think is anonymised with other datasets. And if, for example, a static token is always used, then of course it's easy to combine and use all that data to re-identify the data subject. So, I think also next to not only protecting direct identifiers and indirect identifiers, you need to bring from a technical perspective dynamism on the table in order to make sure that you can uphold GDPR-compliant Pseudonymisation.
Gary LaFever (Anonos)
So, Andy, your perspective on this is interesting because the challenge here is it's not just practitioners in the field who may have an outdated version of Pseudonymisation. I shouldn't say outdated because these definitions are still accurate in their different uses. But when it comes to trying to get the statutory benefits of Pseudonymisation, regulators themselves may not be up to speed. Have you had interactions with regulators where Pseudonymisation is held up as potentially part of a broader solution and they're not very supportive?
Andy Splittgerber (Reed Smith)
Yeah. I would never say authorities are not up to speed. But definitely, there is sometimes a different interpretation of Pseudonymisation. I mean, if you also look at the Google Analytics Austria decision, for example, the authority there takes a view in citing German authorities that suggests that if you create a data set that has an identifier, like it's about the cookie data, but not linked to names or email addresses that they don't consider this as Pseudonymisation because the identifier has a purpose. But that's not the interpretation of Pseudonymisation. It is not pseudonymised data, and it should not be regarded as such because it fails to meet the criteria in the definition of pseudonymised data that we have separated or that there is a separation between the clear direct personal data and the indirect personal data. So, there is I would say different interpretations and perhaps also a bit of pre-GDPR thinking in the head.
Gary LaFever (Anonos)
It's interesting and I want to make an observation and get Cynthia's view going back to that one working session she was on because I think to take the position that I understand you're extrapolating, while that identifier has been separated from the direct identifier, meaning the name of the party, the analysis went on to say that it was child's play to figure out who the person was. And so, it would seem to be that the requirements of Pseudonymisation are not just the separation of the direct identifier from the identity but it's also in such a way that it is not possible to re-link but for access to separate information held separately, and it would seem to me that's where it failed, right? Because Google could easily, in fact, purposefully identify this person because of other information they had access to. And so, that's where I think the full definition under the GDPR is oftentimes missed and it's understandable because it's almost more of a data science issue than a legal issue. That last tagline of the definition that requires that the data not be attributable back to individuals but for access to the additional information kept separately, that's a high standard. That's actually a very difficult standard. And so, Cynthia, I'm just curious going back to the demarcation between it's a replacement of direct identifiers only, the indirect identifiers themselves could be easily identifiable. Do you have any particular thought or perspective on that?
Cynthia O'Donoghue (Reed Smith)
Yeah. I mean, funny enough, if I agree with you. I mean, you kind of said it yourself when you said that technology had moved on and that ultimately the removal of a direct identifier in some ways is quite old fashioned and an unsophisticated way of thinking about it, but you're right. I mean, it is essentially data science because you have to have that logical partition so that the data is kept separately and can't be commingled in any way. And if you have, to what Andy just said, some sort of random identifier, if that random identifier is static and/or traceable across the separate databases and again the data is commingled, then the Pseudonymisation falls away. So, I think you're right. There's an evolution of the definition under the GDPR such that it requires far more technical solutions, logical solutions, as well as just things like hashing of direct identifiers.
Gary LaFever (Anonos)
There's actually, if I'm not mistaken, a joint opinion by the European Data Protection Supervisor and the Spanish DPA where they walked through Pseudonymisation as an anonymisation technique. And while the focus of that opinion is anonymisation and they hold there that anonymisation requires that it's not even re-linkable in the hands of the data controller, but they do critique some of the outdated approaches like hashing, etc. Because, let's be honest, it's like a one-dimensional protection, whereas you can peek around the curtain and see who the person is and that's no longer good enough. It's almost as if the GDPR requires a three-dimensional protection. And I laughingly say it's a terrible job of PR, right? Pseudonymisation, if you achieve the statutory stage, has a lot of benefits but it really hasn't been touted that much. And so, the European Data Protection Supervisor did a webinar at the end of last year in 2021, where they're trying to educate people, but it's almost like this is as much a publicity / public education challenge as it is a legal challenge. Any thoughts or reactions to that?
Magali Feys (AContrario)
Well, if I may, it's funny because this week I got an opinion from another GDPR law firm, and they state it's almost like you know you have anonymisation. And if that fails, then your lower step is then Pseudonymisation. And I think that is and I have to be honest that before I read into the definition and I saw the technical implementation of the definition and what it enhances and stands for, it was also my opinion. And of course, if you think in that way, you only see it as a sort of data minimisation step - a higher data minimisation step but a data minimisation step. And I believe, actually, and I know it's maybe not the most popular view but I actually think that the outcome of GDPR-compliant Pseudonymisation does even have to meet a higher standard than anonymisation because anonymisation still has the reasonable link to it in its Recital 26 under the GDPR. Whilst if you look at the definition of the outcome of GDPR-compliant Pseudonymisation in Article 4(5), you don't find that word reasonable. You should not be reasonably able to re-link it. It says without that additional data, which is your toolbox which are your keys, your PETs, the different PETs or privacy-enhancing techniques you used - without that, you shouldn’t be able in any way because there is not even the word reasonable but in any way to re-link it as such. So, I would even say that Pseudonymisation is a higher standard and indeed as long as people are still thinking as when anonymisation fails, well the next best thing is Pseudonymisation. Then, I think it’s the same reasoning as it’s just only a sort of privacy-enhancement technique and not an outcome as a whole.
Gary LaFever (Anonos)
So, Andy, just curious from your perspective. It seems like there's general consensus here that Pseudonymisation as defined as a statutory term requires an understanding of both legal and perhaps even data science techniques. I mean, how is it that you protect a data element in a way that you can't look around the curtain and see who it is, right? You have only this access, and that's probably going to require some people to change how they've done things in the past. But I'd specifically like to ask you, that additional effort and that change in processing, it seems to me that while it does require a change that that change could have some benefits. Specifically, I'd love to get your perspective on how that might be useful as part of your Appendix 2 describing the technical measures that would allow you to process data in the US cloud because you would have to, I would think, show that if the US government demands access to the data, that that data when presented to the US government is surveillance proof. Any thoughts on that? I guess what I'm getting at is if it requires people to act differently, there better be a reason for them to act differently and that heightened standard may allow them to satisfy both transfer impact assessment and legitimate interest impact assessments and even data protection impact assessments.
Andy Splittgerber (Reed Smith)
Yeah, sure. And I mean, that's a long and difficult topic. And it attaches a bit to the question: “Do we have a risk assessment in our transfer impact assessment or not?” I think yes because the entire GDPR has a risk-based approach. Probably, we must not call it risk here but still there is a reasonability test on how likely it is that there will be an access by authorities that does not meet the standards in Europe. In this context now, very generally in summary, Pseudonymisation, of course, is a very, very important step and in my view one of the means to make transfers compliant. So to say.
Gary LaFever (Anonos)
So, before we wrap up, I'm curious just to see if everyone takes a second to say where they think the industry is on this topic of Pseudonymisation, what it might have meant in the past versus what it could and should mean going forward. Because it seems that if done correctly, it could actually be a valuable tool in the toolbox. Again, I don't think it should be oversold because these are very complex issues. Cynthia, if you want to start just kind of give your view on what you think some of the biggest challenges are with Pseudonymisation given the confusion as to what it means.
Cynthia O'Donoghue (Reed Smith)
So, I think the challenge for organisations is going to be the infrastructure and the technical expertise, which they may not have in-house. And obviously, that's going to adversely affect small and medium-sized companies, and I think there are a lot of companies that fall into that category that could benefit from appropriate Pseudonymisation because it may affect some of their operational activities, their marketing, reaching out to consumers and things. So, yeah, there are challenges and benefits of the approach.
Gary LaFever (Anonos)
Well said. Andy, your perspective on kind of the challenges and benefits and what this might mean for the industry?
Andy Splittgerber (Reed Smith)
Benefits, definitely we talked about some and I think it is key to many future processing activities be it data transfers, international data transfers, AI, big data, and anything like that. It is definitely something one should always consider and implement. Challenges, like Cynthia said, I still see Pseudonymisation like in the past was not an active vocabulary of many organisations. It was personal data, and it was anonymisation. And anonymisation often was not anonymisation and I think many organisations are about to understand this. And then, we just heard what is more complex or stricter - is it Pseudonymisation or anonymisation? So, I think this is the challenge and this is what we're doing in this podcast today and in the future episodes, talk about it and educate everyone a bit more about what it is, to understand what is Pseudonymisation and anonymisation and to apply it, but we are already a couple of steps further than a couple of years ago.
Gary LaFever (Anonos)
Maggie, just curious kind of what your perspective is. And particularly what Andy seemed to say is that companies may be at a new point of revelation or realisation. I’d love to get your perspective on where we are in kind of this knowledge path?
Magali Feys (AContrario)
Well, first, on the advantages, I agree with Cynthia and Andy. The fact that I think for the secondary purpose of data and definitely the challenges, for example, hospitals are facing and we see it a lot in the medical sector. And I always say, if you can make it with health data, you can make it with regular personal data. The fact that it meets the requirements of the three-step test of legitimate interest, I think it's very important. It also will boost the name or the bad name, unfortunately that legitimate interest as a legal ground had in the past. I definitely see the opportunities there. And I think with regard to AI and with regard to actually translating what is Data Protection by Design, Pseudonymisation as an outcome is, I think, a really great asset and really gives a lot of advantages.
Think that is where we're at the beginning of the mountain where we climbed a little bit, but we're not yet over the top. So, I think that is where we are. People are not there at the top of the mountain in order where it is really seen as a solution and everybody understands the advantages, and the fact that what they're doing today is just not nearly enough and they are not reaching the requirements under the GDPR or under Schrems II.
Gary LaFever (Anonos)
And so, the beginning of this discussion and the climb up the mountain, right? This podcast is intended to start and facilitate the discussion, the greater awareness of both what the requirements and the benefits of Pseudonymisation might be, the differences of opinion as it means different things to different people. But I think this is a great start for a dialogue that can help the industry as a whole become more conscious of what it does require, what it might mean, and how it differs from what was in the past.So, with that, we thank everyone for joining us today and we look forward and hope that you join us in a follow-on podcast.
Episode No. 1: What is Pseudonymisation before and after the GDPR?
Gary LaFever (Anonos)
We'd like to welcome everyone to the inaugural podcast for Pseudonymisation. And through this, we hope to look through the lens of Pseudonymisation and a number of different both business and legal objectives that it helps to achieve. No one on this call is going to claim that Pseudonymisation is a silver bullet, a golden shield, or a magic wand. But it actually has a different meaning and impact than it might have in the past, and that's what the discussion today is about. So, we have with us today Andy Splittgerber and Cynthia O'Donoghue from Reed Smith and also Magali Feys from AContrario. My name is Gary LaFever and I’m with Anonos, and this discussion is going to be about Pseudonymisation - what is it, what isn’t it, what was it, and what could it be.
So, I would just like to open the discussion because Cynthia was sharing earlier that she went to a seminar that the ICO held before the GDPR, and the discussion was whether or not Pseudonymisation was merely a security technique and compare that with the recent draft guidance from the ICO where they make the point that there are different types of Pseudonymisation. But to achieve the statutory definition under the UK GDPR and therefore the statutory benefits, you have to satisfy certain criteria, many of which had been set out by the European Cybersecurity Agency (ENISA). And so, Cynthia, if you just want to kind of share the tenor and the topic of that discussion, which I believe is actually what many people still think Pseudonymisation is today.
Cynthia O'Donoghue
Yeah. Basically, it was kind of teeing up discussions for implementation of GDPR. So, the law had already been issued, but it hadn't yet gone into effect. And the view was that Pseudonymisation had always been treated as a security, like a Privacy Enhancing Technique (PET), and the view was it should still be treated that way. I think the majority in the room of participants felt that that is what it should be. It's removal of direct identifiers. It's essentially taking a data set and reducing it and obscuring any form of direct identifiers so that the data is treated as pseudonymised as opposed to fully identifiable.
Gary LaFever (Anonos)
And the ICO prior language regarding Pseudonymisation reflected that. And yet, the most recent shows that if you want the statutory definition of benefits, it has higher standards. Maggie, do you want to just kind of give your perspective on what those higher standards are?
Magali Feys (AContrario)
Yeah. Well, indeed, I agree with Cynthia that as we have seen pre-GDPR, it was definitely more a privacy enhancement technique and replacing direct identifiers with tokens. And what I always found it was applied to individual fields independently within a data set and that is on the data set as a whole. Whilst if you look at the definition of Pseudonymisation in the GDPR and that’s Article 4(5), it really requires that you separate the information value of the data from the identity of the data subject and that the additional information should be securely stored, which is then necessary and only based with or on that additional information, you should be able to re-identify the data subjects and this is under controlled conditions. So, if you look at that definition and in order to also implement it in practice, I think that it's now really defined not any more as an individual technique, but as an outcome on the data sets as a whole. And not only requires protecting the direct identifiers but also the indirect identifiers.
Gary LaFever (Anonos)
Maggie, that would be the case because I think most of us would agree there are a lot of studies and results out there that data that was held to be “anonymous” or obscured can easily and quickly be re-identified through combination, inferences, and correlations of the indirect identifiers. Is that what you're saying that in order to satisfy the Article 4(5) definition that you would have to protect both direct and indirect?
Magali Feys (AContrario)
Indeed. If you then look, for example, at recommendations of the EDPB on the Schrems II, which goes to Pseudonymisation, we see a number of elements they put forward. They also say you can't only protect the particular fields, but the data set as a whole. They also say you have to protect it from singling out data subjects in the larger group, and this is by actually using K-anonymity or aggregation almost mandatory. And what we also see is that they require the need for dynamism because we all know about the Harvard Mosaic Effect study that it’s easy to combine the data sets, which you think is anonymised with other datasets. And if, for example, a static token is always used, then of course it's easy to combine and use all that data to re-identify the data subject. So, I think also next to not only protecting direct identifiers and indirect identifiers, you need to bring from a technical perspective dynamism on the table in order to make sure that you can uphold GDPR-compliant Pseudonymisation.
Gary LaFever (Anonos)
So, Andy, your perspective on this is interesting because the challenge here is it's not just practitioners in the field who may have an outdated version of Pseudonymisation. I shouldn't say outdated because these definitions are still accurate in their different uses. But when it comes to trying to get the statutory benefits of Pseudonymisation, regulators themselves may not be up to speed. Have you had interactions with regulators where Pseudonymisation is held up as potentially part of a broader solution and they're not very supportive?
Andy Splittgerber (Reed Smith)
Yeah. I would never say authorities are not up to speed. But definitely, there is sometimes a different interpretation of Pseudonymisation. I mean, if you also look at the Google Analytics Austria decision, for example, the authority there takes a view in citing German authorities that suggests that if you create a data set that has an identifier, like it's about the cookie data, but not linked to names or email addresses that they don't consider this as Pseudonymisation because the identifier has a purpose. But that's not the interpretation of Pseudonymisation. It is not pseudonymised data, and it should not be regarded as such because it fails to meet the criteria in the definition of pseudonymised data that we have separated or that there is a separation between the clear direct personal data and the indirect personal data. So, there is I would say different interpretations and perhaps also a bit of pre-GDPR thinking in the head.
Gary LaFever (Anonos)
It's interesting and I want to make an observation and get Cynthia's view going back to that one working session she was on because I think to take the position that I understand you're extrapolating, while that identifier has been separated from the direct identifier, meaning the name of the party, the analysis went on to say that it was child's play to figure out who the person was. And so, it would seem to be that the requirements of Pseudonymisation are not just the separation of the direct identifier from the identity but it's also in such a way that it is not possible to re-link but for access to separate information held separately, and it would seem to me that's where it failed, right? Because Google could easily, in fact, purposefully identify this person because of other information they had access to. And so, that's where I think the full definition under the GDPR is oftentimes missed and it's understandable because it's almost more of a data science issue than a legal issue. That last tagline of the definition that requires that the data not be attributable back to individuals but for access to the additional information kept separately, that's a high standard. That's actually a very difficult standard. And so, Cynthia, I'm just curious going back to the demarcation between it's a replacement of direct identifiers only, the indirect identifiers themselves could be easily identifiable. Do you have any particular thought or perspective on that?
Cynthia O'Donoghue (Reed Smith)
Yeah. I mean, funny enough, if I agree with you. I mean, you kind of said it yourself when you said that technology had moved on and that ultimately the removal of a direct identifier in some ways is quite old fashioned and an unsophisticated way of thinking about it, but you're right. I mean, it is essentially data science because you have to have that logical partition so that the data is kept separately and can't be commingled in any way. And if you have, to what Andy just said, some sort of random identifier, if that random identifier is static and/or traceable across the separate databases and again the data is commingled, then the Pseudonymisation falls away. So, I think you're right. There's an evolution of the definition under the GDPR such that it requires far more technical solutions, logical solutions, as well as just things like hashing of direct identifiers.
Gary LaFever (Anonos)
There's actually, if I'm not mistaken, a joint opinion by the European Data Protection Supervisor and the Spanish DPA where they walked through Pseudonymisation as an anonymisation technique. And while the focus of that opinion is anonymisation and they hold there that anonymisation requires that it's not even re-linkable in the hands of the data controller, but they do critique some of the outdated approaches like hashing, etc. Because, let's be honest, it's like a one-dimensional protection, whereas you can peek around the curtain and see who the person is and that's no longer good enough. It's almost as if the GDPR requires a three-dimensional protection. And I laughingly say it's a terrible job of PR, right? Pseudonymisation, if you achieve the statutory stage, has a lot of benefits but it really hasn't been touted that much. And so, the European Data Protection Supervisor did a webinar at the end of last year in 2021, where they're trying to educate people, but it's almost like this is as much a publicity / public education challenge as it is a legal challenge. Any thoughts or reactions to that?
Magali Feys (AContrario)
Well, if I may, it's funny because this week I got an opinion from another GDPR law firm, and they state it's almost like you know you have anonymisation. And if that fails, then your lower step is then Pseudonymisation. And I think that is and I have to be honest that before I read into the definition and I saw the technical implementation of the definition and what it enhances and stands for, it was also my opinion. And of course, if you think in that way, you only see it as a sort of data minimisation step - a higher data minimisation step but a data minimisation step. And I believe, actually, and I know it's maybe not the most popular view but I actually think that the outcome of GDPR-compliant Pseudonymisation does even have to meet a higher standard than anonymisation because anonymisation still has the reasonable link to it in its Recital 26 under the GDPR. Whilst if you look at the definition of the outcome of GDPR-compliant Pseudonymisation in Article 4(5), you don't find that word reasonable. You should not be reasonably able to re-link it. It says without that additional data, which is your toolbox which are your keys, your PETs, the different PETs or privacy-enhancing techniques you used - without that, you shouldn’t be able in any way because there is not even the word reasonable but in any way to re-link it as such. So, I would even say that Pseudonymisation is a higher standard and indeed as long as people are still thinking as when anonymisation fails, well the next best thing is Pseudonymisation. Then, I think it’s the same reasoning as it’s just only a sort of privacy-enhancement technique and not an outcome as a whole.
Gary LaFever (Anonos)
So, Andy, just curious from your perspective. It seems like there's general consensus here that Pseudonymisation as defined as a statutory term requires an understanding of both legal and perhaps even data science techniques. I mean, how is it that you protect a data element in a way that you can't look around the curtain and see who it is, right? You have only this access, and that's probably going to require some people to change how they've done things in the past. But I'd specifically like to ask you, that additional effort and that change in processing, it seems to me that while it does require a change that that change could have some benefits. Specifically, I'd love to get your perspective on how that might be useful as part of your Appendix 2 describing the technical measures that would allow you to process data in the US cloud because you would have to, I would think, show that if the US government demands access to the data, that that data when presented to the US government is surveillance proof. Any thoughts on that? I guess what I'm getting at is if it requires people to act differently, there better be a reason for them to act differently and that heightened standard may allow them to satisfy both transfer impact assessment and legitimate interest impact assessments and even data protection impact assessments.
Andy Splittgerber (Reed Smith)
Yeah, sure. And I mean, that's a long and difficult topic. And it attaches a bit to the question: “Do we have a risk assessment in our transfer impact assessment or not?” I think yes because the entire GDPR has a risk-based approach. Probably, we must not call it risk here but still there is a reasonability test on how likely it is that there will be an access by authorities that does not meet the standards in Europe. In this context now, very generally in summary, Pseudonymisation, of course, is a very, very important step and in my view one of the means to make transfers compliant. So to say.
Gary LaFever (Anonos)
So, before we wrap up, I'm curious just to see if everyone takes a second to say where they think the industry is on this topic of Pseudonymisation, what it might have meant in the past versus what it could and should mean going forward. Because it seems that if done correctly, it could actually be a valuable tool in the toolbox. Again, I don't think it should be oversold because these are very complex issues. Cynthia, if you want to start just kind of give your view on what you think some of the biggest challenges are with Pseudonymisation given the confusion as to what it means.
Cynthia O'Donoghue (Reed Smith)
So, I think the challenge for organisations is going to be the infrastructure and the technical expertise, which they may not have in-house. And obviously, that's going to adversely affect small and medium-sized companies, and I think there are a lot of companies that fall into that category that could benefit from appropriate Pseudonymisation because it may affect some of their operational activities, their marketing, reaching out to consumers and things. So, yeah, there are challenges and benefits of the approach.
Gary LaFever (Anonos)
Well said. Andy, your perspective on kind of the challenges and benefits and what this might mean for the industry?
Andy Splittgerber (Reed Smith)
Benefits, definitely we talked about some and I think it is key to many future processing activities be it data transfers, international data transfers, AI, big data, and anything like that. It is definitely something one should always consider and implement. Challenges, like Cynthia said, I still see Pseudonymisation like in the past was not an active vocabulary of many organisations. It was personal data, and it was anonymisation. And anonymisation often was not anonymisation and I think many organisations are about to understand this. And then, we just heard what is more complex or stricter - is it Pseudonymisation or anonymisation? So, I think this is the challenge and this is what we're doing in this podcast today and in the future episodes, talk about it and educate everyone a bit more about what it is, to understand what is Pseudonymisation and anonymisation and to apply it, but we are already a couple of steps further than a couple of years ago.
Gary LaFever (Anonos)
Maggie, just curious kind of what your perspective is. And particularly what Andy seemed to say is that companies may be at a new point of revelation or realisation. I’d love to get your perspective on where we are in kind of this knowledge path?
Magali Feys (AContrario)
Well, first, on the advantages, I agree with Cynthia and Andy. The fact that I think for the secondary purpose of data and definitely the challenges, for example, hospitals are facing and we see it a lot in the medical sector. And I always say, if you can make it with health data, you can make it with regular personal data. The fact that it meets the requirements of the three-step test of legitimate interest, I think it's very important. It also will boost the name or the bad name, unfortunately that legitimate interest as a legal ground had in the past. I definitely see the opportunities there. And I think with regard to AI and with regard to actually translating what is Data Protection by Design, Pseudonymisation as an outcome is, I think, a really great asset and really gives a lot of advantages.
Think that is where we're at the beginning of the mountain where we climbed a little bit, but we're not yet over the top. So, I think that is where we are. People are not there at the top of the mountain in order where it is really seen as a solution and everybody understands the advantages, and the fact that what they're doing today is just not nearly enough and they are not reaching the requirements under the GDPR or under Schrems II.
Gary LaFever (Anonos)
And so, the beginning of this discussion and the climb up the mountain, right? This podcast is intended to start and facilitate the discussion, the greater awareness of both what the requirements and the benefits of Pseudonymisation might be, the differences of opinion as it means different things to different people. But I think this is a great start for a dialogue that can help the industry as a whole become more conscious of what it does require, what it might mean, and how it differs from what was in the past.So, with that, we thank everyone for joining us today and we look forward and hope that you join us in a follow-on podcast.
Key Takeaways
Pseudonymisation is key to much future processing – be it international data transfer, AI or Big Data analytics. It is something that should always be considered and often implemented.
Andy Splittgerber
ReedSmith
ReedSmith
Technology has outpaced pre-GDPR concepts of Pseudonymisation – the removal or masking of direct identifiers is old fashioned and unsophisticated and fails to protect data as now required for Pseudonymisation.
Cynthia O'Donoghue
ReedSmith
ReedSmith
Pseudonymisation is NOT failed anonymisation and requires even greater protection since there is no “reasonableness” qualifier when assessing the risk of unauthorised reidentification.
Magali Feys
AContrario
AContrario
The Google Analytics decision by the Austrian DPA highlights that the replacement of direct identifiers with static recurring tokens is not GDPR Pseudonymisation because Google can easily relink the static identifiers to identities.
Gary LaFever
Anonos
Anonos
Schrems II Knowledge Hub
RESOURCES TO ACHIEVE LAWFUL BORDERLESS DATA:
Top 8 Misconceptions
A number of serious misconceptions about the impact of Schrems II still remain, which makes it hard for organisations to comply.
This PDF download contains an explanation of the Top 8 Misconceptions surrounding Schrems II so that your organisation can eliminate misunderstandings to move forward. Downloadable and web versions are available.
READ MOREThis PDF download contains an explanation of the Top 8 Misconceptions surrounding Schrems II so that your organisation can eliminate misunderstandings to move forward. Downloadable and web versions are available.
Schrems II Legal Solutions Guidebook
The Schrems II Legal Solutions Guidebook is a critical asset for legal and privacy advisors working on GDPR and Schrems II compliance issues.
The Guidebook, which has been downloaded over 2,200 times, covers the key legal aspects and benefits of SCC-based Schrems II compliance, as well as a checklist, templates, and practical steps for organisations to follow.
DownloadThe Guidebook, which has been downloaded over 2,200 times, covers the key legal aspects and benefits of SCC-based Schrems II compliance, as well as a checklist, templates, and practical steps for organisations to follow.
Implementation Workshop
Schrems II workshop covering Implementation Roadmap & Legal Benefits, for organisations to understand how to implement Schrems II Supplementary Measures for SCCs. Over 2000 GCs, CPOs, DPOs, and Outside Legal Counsel participated from over 1700 companies across over 50 countries. To ensure you don't miss out on valuable information, a replay of this workshop is available for you.
Watch ReplayLinkedIn Group
This LinkedIn group focuses on GDPR Pseudonymisation as highlighted by the EDPS and the EDPB as the most promising supplemental measure for Schrems II compliance. Also, visit www.pseudonymisation.com for more information on Pseudonymisation.
JOIN GROUPAnonos Solution Page
Anonos offers a technology solution that provides technical Supplementary Measures for Schrems II compliance. Explore Anonos GDPR-Pseudonymisation technology, so that you can support your organisation or clients towards a compliant solution. Only Anonos delivers three critical requirements for achieving a Defensible Business Position: Schrems II compliant Supplementary Measures and GDPR-compliant Pseudonymisation to future-proof Standard Contractual Clauses (SCCs).
VIEW SOLUTIONIDC Report on Schrems II
This IDC report explains how Anonos’ BigPrivacy software is well placed to satisfy the Schrems II requirements for appropriate safeguards by creating pseudonymised versions of personal data (Variant Twins).
The IDC report covers the development of Anonos BigPrivacy, use cases, an explanation of Anonos' state-of-the-art Pseudonymisation technology, and market applicability of the solution. Read this IDC report to find out how Anonos technology can help you.
READ REPORT The IDC report covers the development of Anonos BigPrivacy, use cases, an explanation of Anonos' state-of-the-art Pseudonymisation technology, and market applicability of the solution. Read this IDC report to find out how Anonos technology can help you.
Pseudonymisation Blog
A timely collection of articles and perspectives that you will not find elsewhere. This content reflects topical issues gleaned from meetings and interactions with companies, regulators, legislators, and non-governmental organisations related to SCC-based compliance with Schrems II requirements.
READ BLOGPseudonymisation.com Resource Page
Pseudonymisation is at the core of the Data Embassy principles, and is newly-redefined in the GDPR. Find out more about the importance of Pseudonymisation, as recommended by the EDPB as a Schrems II solution for protecting data in use, and how its application can help your organisation.
READ MOREExecutive & Board Risk Assessment Framework
This framework covers the crucial issues we address when working with these organisations to evaluate the ability to establish an immediately defensible position in compliance with Schrems II.
READ MORE
New Technology Controls Required
Relying on “Words Alone” by updating contracts and hoping for treaties produces unsustainable operations because no contract or treaty will remove the need for new technology controls to protect data when in use.
This Briefing covers how Anonos technology solves international cross-border legal challenges, enabling the highest data protection levels, accuracy, and utility on a global scale by complying with recommendations by the EDPB for GDPR-compliant Pseudonymisation.
READ MOREThis Briefing covers how Anonos technology solves international cross-border legal challenges, enabling the highest data protection levels, accuracy, and utility on a global scale by complying with recommendations by the EDPB for GDPR-compliant Pseudonymisation.
Webinar: Presenting Risk Exposure to the C-Suite & Board
Schrems II risk mitigation strategies for Boards of Directors and C-Suite, and organisations are critically needed. View this webinar to find out what the risks are, and what steps you need to take next to brief your executive team and board members.
Watch ReplayWebinar: Technical Supplementary Measures
Webinar Replay: Watch the replay of the webinar in which 3,200+ from 2,300+ companies across 50 countries participated. Schrems II Webinar: Technical Supplementary Measures Surviving and Thriving Under Schrems II.
Watch ReplayWebinar: Learn how Pseudonymisation can solve Schrems II challenges
Learn how GDPR Pseudonymisation can help your organisation achieve compliance while reaching business goals and objectives.
WATCH REPLAY
Memorandum to EDPB
Read Pseudonymisation memo submitted to the EDPB in connection with public consultation 05/2021
READ
© 2024 Anonos. All rights reserved. Privacy Policy
Follow us on: 
