Pseudonymisation Under GDPR

Hello again, this week I am looking at how GDPR “relaxes” certain rules when we apply additional security measures to PII data we hold but only if we choose to adopt certain techniques such as pseudonymisation.

To be clear, GDPR does not exempt any data that has been through the process of pseudonymisation but does appreciate the reduced risk in data processing by the adoption of this technique.

What is Pseudonymisation?

It is a method of processing data that prevents identification of the data subject without additional data. This additional data must be kept completely separate (note: this is not the same as data anonymization which is a different technique entirely).

A simple way to describe it is the process of replacing personal identifiers with code.

Can I see an example?

Let’s take the example of trying to identify the data subject “Anjali Ruparelia” using the following codes:

Using just the data above, you cannot identify which of those records belong to “Anjali Ruparelia” (i.e. a natural living person). However, using the additional data it is possible to do so. In this case a lookup table mapping the real identities against the Pseudonyms.

You can now clearly identify “Anjali Ruparelia” under the Pseudonym “I76c9q”

Why should I use a pseudonymisation technique if I am still subject to the full force of GDPR? What’s the point?

With the introduction of GDPR the data subjects have a number of rights, many I have discussed in more detail in previous blog posts, to name a few; rights for access, right to request rectification, right to be forgotten or data portability.

If the data controller (i.e. yourself) is using the pseudonymisation technique, GDPR allows the use of that data beyond the original purpose of collection, which you wouldn’t be allowed to do should you not adopt pseudonymisation.

Or you could argue that SAR requests do not need to be complied with if the data subject is not identifiable. Similarly, rights for deletion, rectification and portability can be argued if you cannot identify the person.

In addition, the governing body is more likely to favour this as it demonstrates adherence against the “Privacy by Design” principle.

Binging it altogether…

There are a number of techniques available with the purpose of protecting data we hold such as encryption, anonymization, pseudonymisation, data masking, data aggregation and derived data amongst others.

Data pseudonymisation is specifically mentioned under GDPR and allows the organisation to best make use of the data not just for the original purpose of collection but potentially beyond. The ICO clearly sees this as a technique supporting the “Privacy by Design” principle and therefore relaxes certain rules.