In a world where our lives are increasingly online, keeping our personal details secure is one of the main concerns of both individuals using online services and legislators alike. This is one of the main reasons why European legislators are working hard to raise the standards for online data protection and the security of personal data. The General Data Protection Regulation (GDPR) which takes effect on 25th May 2018 consequently imposes a number of obligations on data controllers and processors in order to ensure that personal data is processed in an adequately secure manner. Data controllers and processors have a general obligation to implement technical and organisational measures to show that they have considered and integrated data protection into their processing activities. How can this be achieved? There are a number of ways in which data controllers and processors can increase security surrounding personal data which they store and use, reducing the risk of data breaches. Two of these methods are the use of anonymisation and pseudonymisation.
The GDPR has expanded the scope of “personal data” beyond that defined by its predecessor, the Data Protection Directive. Whilst the actual definition of “personal data” has not changed;
“any information relating to an identified or identifiable natural person”
the definition of “identifiable person”, and “identifiability”, have been broadened, in turn meaning that more data now falls within the definition of personal data.
The definition of “identifiable person” under the Directive has been expanded under the GDPR;
Furthermore, the explanation of what constitutes “identifiability” has, in Recital 26 of the GDPR, been updated to include some additional factors.
The introduction of these “new” categories of data results in more data falling within the scope of the regulation and means that data controllers and processors must ensure that they understand what type of data they process, what obligations this imposes on them and what solutions they can consider using to address the compliance burden on their organisation.
Two possible such solutions suggested by the GDPR itself are anonymization and pseudonymisation.
Recital 26 states that “the principles of data protection should therefore not apply to anonymous information, that is […] data rendered anonymous in such a way that the data subject is not or no longer identifiable”. i.e. anonymization for the purposes of GDPR must be irreversible. Therefore, if organisations can completely anonymise all personal data they hold, they have a chance to eliminate their need for GDPR compliance. However, it could be argued that, given the difficulty in successfully rendering data 100% anonymous due to technological advances and highly intelligent data analytics tools now available, strict anonymization may is difficult to achieve and may actually be more onerous for organisations to achieve than compliance with the GDPR.
The GDPR introduces a new concept of “Pseudonymisation” which is defined as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person”.
So – how does one go about making data pseudonymous? In simple terms, pseudonymisation involves removing or hiding direct, and sometimes indirect, identifiers that could otherwise potentially be combined to reveal an individual’s identity. The identifiers must then be held somewhere secure and separate from the de-identified data. The only way to for the de-identified data to then become identifiable again is by linking these two together sets of data together, through the use of a key, or “pseudonym”.
Here lies the risk. A data breach may result in this linking “key” being found and used to link the identifiers to the de-identified data. Alternatively they may otherwise be linked - via a malicious act combining the identifiers, or other available information, with the de-identified information, rendering individuals once again identifiable. Therefore, if controllers are to use pseudonymisation, they must ensure they have appropriate technical and organisational measures in place to mitigate this risk as far as possible – such as encryption, and strict internal privacy policies. But how far do they need to go to protect this separated information?
As mentioned above, Recital 26 states that when determining whether someone is identifiable “…account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person, either directly or indirectly…” It then goes on to say that in order to ascertain what means are reasonably likely to be used, account should be taken of all objective factors such as the costs of and the amount of time required for identification, and taking into account available technology.
The inclusion of “reasonably likely” is in data controllers’ favour if a controller can show that he adequately protected or erased the key and the remaining identifiers are indirect and sufficiently low risk, he may have scope to argue that therefore there is no reasonable risk of re-identification. It will be interesting to see exactly how “reasonably likely” will be interpreted in different circumstances once the GDPR is in force.
Whilst pseudonymisation does not render data anonymous and therefore does not provide an exemption from the scope of the GDPR, it does reduce the risks associated with data processing while also maintaining the data’s utility. Because of this, organisations which implement pseudonymisation techniques enjoy various benefits under the GDPR. Incentives for organisations to use pseudonymisation include the following:
Therefore, whilst organisations are undertaking the necessary preparatory work before GDPR comes into effect in May and discussing how they are going to adequately protect the data which they process, they should certainly consider pseudonymisation of data as one step towards their compliance goals.
For more information on GDPR, contact firstname.lastname@example.org.