Pseudonymisation is a technical measure that can be used to increase the security of personal data. When pseudonymisation methods are applied, the respective personal data is modified so that it can only be identified with the addition of further information. Hence, pseudonymisation can help your company comply with the requirements of the General Data Protection Regulation (GDPR) and therefore contribute to the effective protection of data subjects’ rights. In this article we will show you how GDPR-compliant pseudonymisation can be achieved in practice and what risks remain after implementation.
What is pseudonymisation?
The term pseudonymisation is defined by Art. 4 No. 5 GDPR as the processing of personal data in a way that the data can no longer be assigned to a specific person without the addition of further information. This is achieved by replacing all personal identifiers by a form of pseudonym.
Pseudonymisation has to be differentiated from anonymisation, which aims to completely remove any reference to a person. As a result, anonymised data no longer falls within the scope of the GDPR. By contrast, if data is merely pseudonymised and therefore a re-identification remains possible using additional information, the respective data is still subject to the GDPR.
What is the purpose of and the requirements for pseudonymisation?
Using pseudonymisation, your company can ensure that the processing of data is in compliance with the GDPR, in particular:
- to comply with the principle of data minimisation ( 25 GDPR);
- as a technical measure to ensure security of processing and thereby to minimise the risk for the data subject’s rights and freedoms ( 32 GDPR);
- to enable you to process personal data for a purpose other than the one for which it was collected ( 6 (4) GDPR)
However, you should keep in mind that pseudonymisation is only one possible measure among several. In particular, the application of pseudonymisation does not necessarily render the processing compliant with the GDPR and further measures may be necessary.
Moreover, when using pseudonymisation, you should fulfil the following requirements:
- the pseudonymisation procedure you use should be state of the art;
- the procedure has to be reviewed regularly to ensure it remains state of the art and you should appoint a specialist with the technical and legal knowledge for this purpose;
- the pseudonymisation procedures have to be documented ( 30 GDPR), including the exact procedure and the individuals in charge of the implementation and execution.
How can pseudonymisation be achieved?
For pseudonymisation to be achieved, you must store the additional information that enables identification of the data subject separately and adopt technical and organizational measures to ensure that the information cannot be merged with the pseudonymised data. The main pseudonymisation methods available are pseudonymisation lists and calculation procedures.
When using pseudonymisation lists, a table is used to assign data records to specific pseudonyms. When using this method, you must ensure that no direct reference is made to the data. Moreover, it is important to use random pseudonyms; if simple numberings are used, for example, temporal or alphabetical orders can become evident.
With a calculation procedure, the pseudonyms are calculated algorithmically from identity data. This algorithmic procedure must be state of the art in order to avoid encryption vulnerabilities. To ensure that unauthorized third parties cannot calculate the pseudonym from the identity data, a so-called cryptographic key can be applied. A cryptographic key is a string of characters, which is used to modify data so that it appears random. Hence, the key encrypts data so that it can only be decrypted with the right cryptographic key. To ensure data security, the cryptographic key should be changed regularly and be stored securely using a documented authorization concept.
Remaining risks and countermeasures
Even if data is pseudonymised to ensure an effective protection of data, certain risks remain. The main risks have been listed by the WP29 in 2014:
- Singling out — the possibility to identify an individual’s record within data sets, e.g. if the combination of information is very unique;
- Linkability — the possibility to link two records concerning the same individual or a group of individuals;
- Inference — the possibility to estimate or guess values by using other information.
However, depending on the processing purpose, certain measures can be taken to minimise these residual risks, e.g. randomisation or generalisation. Randomisation describes a set of techniques that aims at removing the close link between the data and the respective individual by changing the veracity of the data. On the other hand, generalisation describes a set of techniques that involve generalising or diluting the attributes of the individuals concerned by changing the respective scale, e.g. a region instead of a specific city.
Moreover, the overall security of the pseudonymisation procedure can be increased by performing different stages of the procedure by various independent bodies.