The explicit reference to ‘pseudonymisation’ in Regulation (EU) 2016/67 (General Data Protection Regulation – GDPR) has raised several questions about the impact and effect of pseudonymisation as well as about the nature of pseudonymised data. It also raises questions about the suitability of techniques currently used.
Before the GDPR became applicable, the Article 29 Working Party had stated that pseudonymisation does not amount to anonymisation and outlined key pseudonymisation techniques. Following this, the European Union Agency for Cybersecurity (ENISA) shed further light on pseudonymisation under the GDPR. The report published by ENISA, just a few weeks before 2020, discusses pseudonymisation techniques, attacks, and countermeasures. In this article, we look at the key messages of this report that data controllers and processors should bear in mind before selecting, implementing, testing pseudonymisation programmes. This report complements an earlier ENISA report of 2018 on the notion and main techniques of pseudonymisation under GDPR.
The notion and benefits of pseudonymisation
According to Article 4(5) of the GDPR, pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. This additional information should be kept separately and be subject to technical and organisational measures. This would, thus, ensure that the pseudonymised data is not attributed to an identified or identifiable natural person.
The GDPR does not mention specific pseudonymisation techniques but encourages data controllers and processors to apply pseudonymisation to enhance the protection of personal data. In particular, pseudonymisation is a security measure (Art. 32 of GDPR) and also supports data protection by design (Art. 25 of GDPR). Pseudonymisation helps to reduce the possibility of creating a link between a pseudonymised dataset and the holders of the pseudonyms to prevent re-identification. In particular, pseudonymisation could decrease the risk of data breaches where pseudonymised data are shared between controllers and/or processors. In addition, pseudonymisation reduces the risk of inference, singling out, and discrimination, although it does not eradicate this risk. Moreover, pseudonymisation supports data minimisation since organisations retain access to pseudonyms but not the real identities of data subjects. In brief, pseudonymisation could be applied by data controllers, processors, third parties or the data subjects themselves.
Although pseudonymisation is meant to safeguard personal data, it also reduces data utility and, if it is ill-applied, it could result in the personal data held being inadequate for the declared purposes.
Key messages by ENISA
To prevent the adverse effects of pseudonymisation, as well as inconsistent techniques and approaches, there is a need for agreed standards and guidance. ENISA’s release of useful guidance on pseudonymisation, although rather technical, will certainly help data controllers and processors in implementing this technique. In particular, ENISA suggests that:
- There is not a one-size-fits-all solution or silver bullet for pseudonymisation techniques. A risk-based approach is required to assess the required data protection and security level, desired data utility, scalability needs, size, context and number of the data processing operations. For example, the nature of personal data, i.e., IP addresses, and the number of entities involved in data processing could affect the decision-making about the appropriate technique.
- An important factor in selecting the appropriate pseudonymisation techniques relates to examining the dataset in its entirety and the implicit ability to link a set of pseudonyms and other data values that are joined into a dataset or combination of datasets.
- Producers of products, services and applications should provide data controllers and processors with relevant contextual information for the above risk assessments.
- In terms of protection, random number generator (RNG), message authentication codes and encryption as stronger techniques may be more suitable.
- Regarding pseudonymisation policies, fully randomised pseudonymisation is the strongest policy.
- The desired or required level of data may require a combination of different approaches or variations of a selected approach.
- The organisation applying pseudonymisation should also implement a recovery mechanism. In particular, recovering pseudonymisation may be necessary in the event of personal data breaches and to reply to the requests of data subjects.
- The pseudonymisation secret should be protected with technical and organisational measures. For example, the pseudonymisation secret should be isolated from the dataset and securely deleted from any insecure channels and systems. Access to this element should be strictly authorised and tracked.
As highlighted by ENISA, pseudonymisation requires context-specific risk assessments. Trilateral’s advisors could help you assess whether pseudonymisation is required or desired and what techniques are the most appropriate for your organisation. Please visit our Data Governance and Cyber-Risk Service page and do not hesitate to contact one of our advisors.