Schedule a Call

Pseudonymisation: Not Your Average Anonymous Data

Featured Image
Pseudonymisation is literally a mouthful, a portmanteau derived from pseudo and anonymisation.  Apart from being a pronunciation challenge, it is a concept that appears repeatedly within the GDPR and it is important to any organisation that will be processing data beyond the introduction of the General Data Protection Regulation in May 2018.  It offers significant benefits to any organisation engaged in data processing, one key reason for its deployment is the ability to process data beyond the limits stated at the time of its collection. 

What is pseudonymisation?

Pseudonymisation is a process whereby personal data is stripped of its identifying components rendering the remainder anonymous.  It is not truly anonymous because the identifying data continues to exist on the data processors’ systems, and if access was gained to those systems, the individuals could be identified.

To give an example: it is estimated that 87% of individuals in the United States can be identified using only three pieces of information, their Zip code, their gender and their date of birth.  If you were intending to perform statistical analysis you could collect only zip codes and nothing else.  This would be anonymous data as no one could be identified from that data.

If on the other hand, you had collected names, zip codes, gender and date of birth information for the express purposes of providing a mailing list, under the GDPR you would be required to seek further consent (or a different lawful basis) for the sort of statistical analysis above.

An alternative would be to pseudonymise the data by extracting only the zip code data and analysing (processing) that.  This would be legal under the GDPR as the data being processed for this purpose would be incapable of identifying an individual, and no additional consent would be required.

With us so far?

For the data processor, pseudonymisation allows additional processing without the effort of gaining further consent.  For the individual, the data subject, their details remain safe and as far as the GDPR is concerned there is no unreasonable risk of their identity being revealed by this additional processing.

So… pseudonymised data isn’t anonymised data?

No, it isn’t, and it is important to realise this and understand why.  Anonymous data contains nothing that would allow an individual to be identified.  Importantly the data processor holds no additional data that would allow the identification of an individual.

Pseudonymised data does not itself contain anything that would allow an individual to be identified, but the data processor does hold additional data, which if added to the pseudonymised data, would allow individuals to be identified.

The difference then is really whether or not the data processor holds additional, identifying data.  It is very important that organisations understand the difference between the two and collect data and consent appropriately.

Why pseudonymise?

The ability to pseudonymise data has a number of advantages:

  1. You can process data beyond the original stated reason for its collection.
  2. It is an important safeguard when processing data for scientific, historical or statistical purposes.
  3. It is a central feature of “data protection by design” since it constitutes an enhanced security feature
  4. Under Article 32 of the GDPR it constitutes a risk reduction technique which could potentially reduce the danger of identification or harm from a data breach.
  5. It removes the requirement for the pseudonymised data to be portable, erasable or correctable.

Separating personal data into pseudonymous components reduces risk should a data breach occur, dependent on the nature and extent of the breach.

It is conceivable that a company could find that their use of pseudonymised data it is the difference between a notifiable breach and one that doesn’t require notification.  If only pseudonymised data was improperly accessed there would be no demonstrable risk to individual data subjects and the breach may not have to be notified to the Information Commissioner’s Office (ICO).

Similarly, if you are passing data to a third party for processing and only provide them with access to pseudonymised data, the risk involved to individuals is markedly reduced.

The removal of the requirement that pseudonymised data be portable, erasable or subject to correction may significantly reduce operational and system overheads where you are processing large amounts of data, as there would be no requirement to build the necessary facilities to perform these functions into your systems.

Any or all of these reasons could be significant to organisations looking to glean more value from the data they have collected, or simply as a technique to increase data security and improve public confidence in their practices.

Is it a Golden Bullet?

In a word, no.  In fact, it’s far from it.  It is unlikely that any company that anticipated substantial data processing would decide on a whim to start pseudonymising data.

It is far more likely and sensible that organisations would factor pseudonymisation into their data processing plans from the start.  The decision to employ pseudonymisation as part of their data processing procedures may well have a direct impact upon the lawful bases for processing and on the nature of consent sought from their customers.

If a company knows that they will want to perform statistical analysis of customer data they can either seek explicit consent for that processing at the point of collection or they can establish whether pseudonymising the data they collect will allow them to perform sufficient analysis with existing consent.

Such a decision may well have a significant impact upon the very nature of the processing operation, upon the steps required by the organisation to comply with the provisions of the GDPR and directly inform decisions made regarding overall data security and system design within the organisation.

Onestop is ready to assist and guide you to ensure both compliance and maximum efficiency from your IT systems.  Pseudonymisation is a powerful tool and its use has the potential to have a significant impact on an organisations plans and operating methodology.  It is vital that any organisation considering its use is quite clear about the advantages and disadvantages involved.

CONTACT US
#gdpr #it support
Share:

Related articles

How to Save Your Tech Budget: Top Tips To Save Your Budget
How to Save Your Tech Budget: Top Tips To Save Your Budget

It is common for businesses to view IT as an unnecessary cost, which is why the IT department is often given an incredibly low IT budget. However, in today's digital world, technology couldn't be more important for the development and growth of a business.
Everything you Need to Know About Regulatory Requirements
Everything you Need to Know About Regulatory Requirements

A regulatory requirement is a law or rule that businesses must adhere to in order to operate legally. There are many different regulatory requirements, and it is important for businesses to be aware of them all.
IT Solutions Edinburgh
IT Solutions Edinburgh

Our Edinburgh IT Solution services are just one part of the many vital areas your business can work with us to improve productivity, increase security, and reduce overall costs. A forward-thinking, highly motivated company like Onestop IT will take your business to the next level. 
Managed IT Support Edinburgh: How do I Know What’s Right for Me?
Managed IT Support Edinburgh: How do I Know What’s Right for Me?

With businesses relying on technology to empower their services, having reliable Managed IT Support in Edinburgh, Glasgow, Aberdeen and Central Scotland has never been more important.
Office IT Support in Scotland: Try It Now!
Office IT Support in Scotland: Try It Now!

With work from home and e-learning still very popular, having reliable Home Office IT Support in Scotland has never been more important...
Managed IT Support Aberdeen: How do I Know What’s Right for me?
Managed IT Support Aberdeen: How do I Know What’s Right for me?

Outsourcing IT Support Services in Aberdeen is a wise move for SMEs. There are numerous IT Support providers covering Aberdeen, Edinburgh, Glasgow and central Scotland areas and they all package their services in different ways. At Onestop IT we provide a wealth of products and support to meet the needs of our SME IT customers. Broadly speaking our IT Services divide into IT Support and Managed IT Services. We work with each customer to create an individual package of services that meets their needs, often pulling in elements of both IT Support and Managed Services.  
Managed IT Support Scotland: How do I Know What’s Right for Me?
Managed IT Support Scotland: How do I Know What’s Right for Me?

Outsourcing IT Support Services in Scotland is a wise move for SMEs. There are numerous IT Support providers covering Edinburgh, Aberdeen, Glasgow and central Scotland areas and they all package their services in different ways. At Onestop we provide a wealth of products and support to meet the needs of our SME IT customers. Broadly speaking our IT Services divide into IT Support and Managed IT Services. We work with each customer to create an individual package of services that meets their needs, often pulling in elements of both IT Support and Managed Services. 
Why Companies Should Outsource their IT Support
Why Companies Should Outsource their IT Support

Running a business is no easy task. You have to keep up with the latest IT trends and updates, be aware of any security vulnerabilities, and decide which software to use. This can sometimes feel like too much for one person or team, so it's understandable when businesses are sceptical about outsourcing IT support. But if you choose wisely, there are many benefits! This blog post will go over 5 reasons why IT support should be outsourced in favour of company growth and success. 
IT help desk: From Printer Troubleshooting to Accessing Shared Drives
IT help desk: From Printer Troubleshooting to Accessing Shared Drives

From printer troubleshooting to accessing shared drives: How our IT support team improves business continuity Troubleshooting an offline printer “We had one user calling us because their printer was showing up as offline. It’s generally frustrating for people when they can’t use the equipment in their offices, and printers tend to act up quote often. I resolved the issues within a timely manner by assigning a static IT for the device. This solution should also prevent the problem from reoccurring in the future so the client will be able to use their printer just fine from now on! I was happy to help as printer issues can take a while to troubleshoot if you don’t know exactly what to look for. This is a great example of what I call the magic behind the curtain as we are able to work in the background and use our experience to fix issues quickly.” – Michael F.
Why your Business Needs an IT Budget
Why your Business Needs an IT Budget

Why is preparing an IT budget within SMEs (small medium enterprises) essential? And, how can having a strategic budget propel your organisation towards success in the modern, competitive marketplace. Here, we delve into the main steps involved in creating an IT budget.
How to Create Asset Management Databases
How to Create Asset Management Databases

In this post, we examine how small and medium enterprises (SMEs) can develop and implement an IT asset database. We also discuss the reasons for having a computerised asset management system, what it should include and some of the issues that could arise without such business information to hand.
4 Surprising Facts About Office 365 & G Suite Backup
4 Surprising Facts About Office 365 & G Suite Backup

In the past few weeks, this blog has focused on the shortcomings of the built-in recovery measures of the G Suite and Office 365, highlighting the need for a third-party backup solution. There are a number of myths about cybersecurity and data backup surrounding these two cloud-based suites. People often use these misconceptions to convince themselves they don’t need an external backup solution for their data.

Related videos

Play button An Introduction into IT Support
An Introduction into IT Support

This video is an introduction to our IT Support page. Throughout the page you can find information about what an IT Support is, why you need it and how it benefits your business.
Play button How Much Does IT Support Cost?
How Much Does IT Support Cost?

Many people have a question about IT support. "How much does it cost?" IT support isn't just one price, but there are factors that will affect the cost of your service. Here's what you need to know!
Play button Why You Should Outsource Your IT Support
Why You Should Outsource Your IT Support

Are you looking for an IT company to help with your business? If so, you should know that outsourcing can be a great option! 1) You can focus on what you do best: running your company instead of worrying about technology. 2) It will free up time and resources because there are more people working on the same project. 3) Your tech solutions will always stay up-to-date and secure without any hassle or expense to yourself.
Play button In House vs Outsourced IT Support: Which One is Better?
In House vs Outsourced IT Support: Which One is Better?

In-house IT support sounds like a good idea, but it can come with some hidden costs. In this video I'll share the pros and cons of in-house vs outsourced IT support so you can decide which is best for your business.