Pseudonymisation: Not Your Average Anonymous Data

Featured Image
Pseudonymisation is literally a mouthful, a portmanteau derived from pseudo and anonymisation.  Apart from being a pronunciation challenge, it is a concept that appears repeatedly within the GDPR and it is important to any organisation that will be processing data beyond the introduction of the General Data Protection Regulation in May 2018.  It offers significant benefits to any organisation engaged in data processing, one key reason for its deployment is the ability to process data beyond the limits stated at the time of its collection. 

What is pseudonymisation?

Pseudonymisation is a process whereby personal data is stripped of its identifying components rendering the remainder anonymous.  It is not truly anonymous because the identifying data continues to exist on the data processors’ systems, and if access was gained to those systems, the individuals could be identified.

To give an example: it is estimated that 87% of individuals in the United States can be identified using only three pieces of information, their Zip code, their gender and their date of birth.  If you were intending to perform statistical analysis you could collect only zip codes and nothing else.  This would be anonymous data as no one could be identified from that data.

If on the other hand, you had collected names, zip codes, gender and date of birth information for the express purposes of providing a mailing list, under the GDPR you would be required to seek further consent (or a different lawful basis) for the sort of statistical analysis above.

An alternative would be to pseudonymise the data by extracting only the zip code data and analysing (processing) that.  This would be legal under the GDPR as the data being processed for this purpose would be incapable of identifying an individual, and no additional consent would be required.

With us so far?

For the data processor, pseudonymisation allows additional processing without the effort of gaining further consent.  For the individual, the data subject, their details remain safe and as far as the GDPR is concerned there is no unreasonable risk of their identity being revealed by this additional processing.

So… pseudonymised data isn’t anonymised data?

No, it isn’t, and it is important to realise this and understand why.  Anonymous data contains nothing that would allow an individual to be identified.  Importantly the data processor holds no additional data that would allow the identification of an individual.

Pseudonymised data does not itself contain anything that would allow an individual to be identified, but the data processor does hold additional data, which if added to the pseudonymised data, would allow individuals to be identified.

The difference then is really whether or not the data processor holds additional, identifying data.  It is very important that organisations understand the difference between the two and collect data and consent appropriately.

Why pseudonymise?

The ability to pseudonymise data has a number of advantages:

  1. You can process data beyond the original stated reason for its collection.
  2. It is an important safeguard when processing data for scientific, historical or statistical purposes.
  3. It is a central feature of “data protection by design” since it constitutes an enhanced security feature
  4. Under Article 32 of the GDPR it constitutes a risk reduction technique which could potentially reduce the danger of identification or harm from a data breach.
  5. It removes the requirement for the pseudonymised data to be portable, erasable or correctable.

Separating personal data into pseudonymous components reduces risk should a data breach occur, dependent on the nature and extent of the breach.

It is conceivable that a company could find that their use of pseudonymised data it is the difference between a notifiable breach and one that doesn’t require notification.  If only pseudonymised data was improperly accessed there would be no demonstrable risk to individual data subjects and the breach may not have to be notified to the Information Commissioner’s Office (ICO).

Similarly, if you are passing data to a third party for processing and only provide them with access to pseudonymised data, the risk involved to individuals is markedly reduced.

The removal of the requirement that pseudonymised data be portable, erasable or subject to correction may significantly reduce operational and system overheads where you are processing large amounts of data, as there would be no requirement to build the necessary facilities to perform these functions into your systems.

Any or all of these reasons could be significant to organisations looking to glean more value from the data they have collected, or simply as a technique to increase data security and improve public confidence in their practices.

Is it a Golden Bullet?

In a word, no.  In fact, it’s far from it.  It is unlikely that any company that anticipated substantial data processing would decide on a whim to start pseudonymising data.

It is far more likely and sensible that organisations would factor pseudonymisation into their data processing plans from the start.  The decision to employ pseudonymisation as part of their data processing procedures may well have a direct impact upon the lawful bases for processing and on the nature of consent sought from their customers.

If a company knows that they will want to perform statistical analysis of customer data they can either seek explicit consent for that processing at the point of collection or they can establish whether pseudonymising the data they collect will allow them to perform sufficient analysis with existing consent.

Such a decision may well have a significant impact upon the very nature of the processing operation, upon the steps required by the organisation to comply with the provisions of the GDPR and directly inform decisions made regarding overall data security and system design within the organisation.

Onestop is ready to assist and guide you to ensure both compliance and maximum efficiency from your IT systems.  Pseudonymisation is a powerful tool and its use has the potential to have a significant impact on an organisations plans and operating methodology.  It is vital that any organisation considering its use is quite clear about the advantages and disadvantages involved.