According to the GDPR, pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person
Quite a mouthful. Let’s say you have a file with names and other personal data and it’s necessary for one department to use this file. And you have another department that also needs to use this file but they don’t need to use the personal data therein. So, you replace the personal data with say, reference numbers which are meaningless. The only way to identify the personal data is by using another file which interprets the reference numbers. Needless to say, that this ‘unlocking’ file must be held separately and securely.
Important to note that anonymised data is not the same as pseudonymised data. If you deleted all the personal data from a file then that data will be anonymised. And the personal data cannot be re-identified. Remember too – the GDPR does not concern itself with anonymised data.
Recital 28 tell us that applying pseudonymisation can reduce the risks to the data subjects concerned and help controllers and processors to meet their data protection obligations. The explicit introduction of pseudonymisation in the GDPR is NOT intended to preclude any other measures of data protection.
Furthermore, Recital 29 tell us about the GDPR 'incentivising' the introduction and deployment of pseudonymisation. Let us examine the ways:
Further Processing - according to Article 6 (4) - If the purpose for processing is not based on the data subject's consent, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, the controller shall take into account, inter alia: '(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation'.
Pseudonymisation as a safeguard - The GDPR provides an exception to the purpose limitation principle for data processing for archiving for purposes in the public interest, scientific or historical research purposes or statistical purposes. Article 89(1) requires controllers that process data for these purposes to implement 'appropriate safeguards.' Specifically, controllers must adopt technical and organizational measures to adhere to the data minimization principle. The only example the Regulation provides is for controllers to use pseudonymisation so that the processing 'does not permit or no longer permits the identification of data subjects.
Data protection by design - Conceptually, data protection by design means that privacy should be a feature of the development of a product, rather than a bolt-on later in its lifespan. Article 25(1) calls for controllers to implement appropriate safeguards 'both at the time of the determination of the means for processing and at the time of the processing itself.' One way to achieve this is by pseudonymising personal data.
Data security - Article 32 - 'the controller and the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia, as appropriate: (a) the pseudonymisation and encryption of personal data.
Article 11 - controllers do not need to provide a data subject with access, rectification, erasure or data portability if they can no longer identify that data subject.
And, Article 40 (2d) - Codes of Conduct - the GDPR encourages controllers to adopt codes of conduct that promote pseudonymisation.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018