In a world where our lives are increasingly online, keeping our personal details secure is one of the main concerns of both individuals using online services and legislators alike. This is one of the main reasons why European legislators are working hard to raise the standards for online data protection and the security of personal data. The General Data Protection Regulation (GDPR) which takes effect on 25th May 2018 consequently imposes a number of obligations on data controllers and processors in order to ensure that personal data is processed in an adequately secure manner. Data controllers and processors have a general obligation to implement technical and organisational measures to show that they have considered and integrated data protection into their processing activities. How can this be achieved? There are a number of ways in which data controllers and processors can increase security surrounding personal data which they store and use, reducing the risk of data breaches. Two of these methods are the use of anonymisation and pseudonymisation.
The GDPR has expanded the scope of “personal data” beyond that defined by its predecessor, the Data Protection Directive. Whilst the actual definition of “personal data” has not changed;
“any information relating to an identified or identifiable natural person”
the definition of “identifiable person”, and “identifiability”, have been broadened, in turn meaning that more data now falls within the definition of personal data.
The definition of “identifiable person” under the Directive has been expanded under the GDPR;
Furthermore, the explanation of what constitutes “identifiability” has, in Recital 26 of the GDPR, been updated to include some additional factors.
The introduction of these “new” categories of data results in more data falling within the scope of the regulation and means that data controllers and processors must ensure that they understand what type of data they process, what obligations this imposes on them and what solutions they can consider using to address the compliance burden on their organisation.
Two possible such solutions suggested by the GDPR itself are anonymization and pseudonymisation.
Recital 26 states that “the principles of data protection should therefore not apply to anonymous information, that is […] data rendered anonymous in such a way that the data subject is not or no longer identifiable”. i.e. anonymization for the purposes of GDPR must be irreversible. Therefore, if organisations can completely anonymise all personal data they hold, they have a chance to eliminate their need for GDPR compliance. However, it could be argued that, given the difficulty in successfully rendering data 100% anonymous due to technological advances and highly intelligent data analytics tools now available, strict anonymization may is difficult to achieve and may actually be more onerous for organisations to achieve than compliance with the GDPR.
What is pseudonymisation?
The GDPR introduces a new concept of “Pseudonymisation” which is defined as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person”.
So – how does one go about making data pseudonymous? In simple terms, pseudonymisation involves removing or hiding direct, and sometimes indirect, identifiers that could otherwise potentially be combined to reveal an individual’s identity. The identifiers must then be held somewhere secure and separate from the de-identified data. The only way to for the de-identified data to then become identifiable again is by linking these two together sets of data together, through the use of a key, or “pseudonym”.
Here lies the risk. A data breach may result in this linking “key” being found and used to link the identifiers to the de-identified data. Alternatively they may otherwise be linked - via a malicious act combining the identifiers, or other available information, with the de-identified information, rendering individuals once again identifiable. Therefore, if controllers are to use pseudonymisation, they must ensure they have appropriate technical and organisational measures in place to mitigate this risk as far as possible – such as encryption, and strict internal privacy policies. But how far do they need to go to protect this separated information?
As mentioned above, Recital 26 states that when determining whether someone is identifiable “…account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person, either directly or indirectly…” It then goes on to say that in order to ascertain what means are reasonably likely to be used, account should be taken of all objective factors such as the costs of and the amount of time required for identification, and taking into account available technology.
The inclusion of “reasonably likely” is in data controllers’ favour if a controller can show that he adequately protected or erased the key and the remaining identifiers are indirect and sufficiently low risk, he may have scope to argue that therefore there is no reasonable risk of re-identification. It will be interesting to see exactly how “reasonably likely” will be interpreted in different circumstances once the GDPR is in force.
Why use pseudonymisation?
Whilst pseudonymisation does not render data anonymous and therefore does not provide an exemption from the scope of the GDPR, it does reduce the risks associated with data processing while also maintaining the data’s utility. Because of this, organisations which implement pseudonymisation techniques enjoy various benefits under the GDPR. Incentives for organisations to use pseudonymisation include the following:
- Individual Rights. In accordance with Article 11, if data controllers can demonstrate that the individuals about whom pseudonymised data is held are no longer identifiable (e.g. following successful complete deletion of the identifying information) – then the individual rights shall no longer apply (the rights of access, rectification, erasure, restriction of processing and data portability) consequently lightening the administrative burden on the controller. An exception exists where the data subject provides additional information enabling his or her identification.
- The purpose limitation principle. One data protection principle in the GDPR is that of purpose limitation, meaning that data can only be processed for specific purposes and not further processed in a manner incompatible with those purposes. The regulation sets out what constitutes compatibility for this purpose. One factor to be considered when ascertaining whether further processing for another purpose is indeed compatible with the purpose for which data was originally collected, is whether there are appropriate safeguards in place, including encryption or pseudonymisation. If pseudonymisation is used, there is less risk for individuals involved and consequently controllers using pseudonymisation may have more scope for further processing of data.
- Safeguard for processing personal data for scientific, historical and statistical purposes. Another exception to the purpose limitation principle is that data may be further processed for scientific, historical and statistical research as long as that data is processed with appropriate safeguards in accordance with this Regulation for the rights and freedoms of the data subject. To demonstrate such appropriate safeguards, controllers must adopt technical and organisational measures, and the example provided by the GDPR of such measures is that of pseudonymisation.
- “Data protection by design and default”. GDPR makes “data protection by design” a legal requirement. Stemming from this requirement, Article 25 requires controllers to implement appropriate safeguards “both at the time of the determination of the means for processing and at the time of the processing itself” meaning that privacy must be integral to data processing systems. When considering ways to comply with this requirement, controllers should consider pseudonymisation as an option.
- Security policy requirements and breach notification under the GDPR. Article 32 of the GDPR requires controllers and processors to implement technical and organisational measures to ensure security of data. The GDPR calls out pseudonymisation and encryption of data as methods to help achieve this. This is particularly important as Article 33 then goes on to impose a breach notification obligation on data controllers. This obliges controllers to notify certain personal data breaches to the supervisory authority within 72 hours of becoming aware of it. This notification obligation applies to data breaches unless the breach in question is unlikely to result in a risk to the rights and freedoms of an individual. Furthermore, if the data breach is likely to result in a high risk to the rights and freedoms of the data subject involved, the data controller must also inform the individual. However, as pseudonymisation mitigates the risk of harm to data subjects, its use may in some cases enable controllers to avoid some notification requirements (where pseudonymsation has sufficiently reduced the potential risk, potentially alongside other security measures.)
- Recommendation that pseudonymisation is included in Codes of Conduct. Article 40 of the GDPR recommends that Member States, supervisory authorities, the Board and the Commission should encourage the creation and use of Codes of Conduct in relation to proper application of the GDPR. It lists 11 key areas which such Codes should cover, one of which is the pseudonymisation of personal data, confirming that it is seen as an important and useful tool within the new data protection framework.
Therefore, whilst organisations are undertaking the necessary preparatory work before GDPR comes into effect in May and discussing how they are going to adequately protect the data which they process, they should certainly consider pseudonymisation of data as one step towards their compliance goals.