While the GDPR sets forth stringent security requirements, it also provides guidance for fulfilling those requirements.
Pseudonymisation is one example of such guidance. If you’re unfamiliar with that term, here’s how the GDPR defines it:
“The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”
The GDPR identifies pseudonymisation as a mechanism that “can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations.”
However, it’s important to note that pseudonymised data is not anonymous data. Anonymous data can never be traced back to an individual, and as such, is not considered personal data by the GDPR.
Pseudonymised data, however, can theoretically be traced back to an individual. The risk of this is decreased due to the fact that different sets of information needed to re-identify an individual are stored in separate locations, but it’s a risk to be aware of, nonetheless.
How Pseudonymisation Can Help Your Organization
In short, pseudonymisation is a way for your organization to achieve compliance with specific GDPR articles and add an extra layer of security to personal data.
For example, Article 25 suggests that pseudonymisationhelps the organization to implement the data protection principle of data minimization. This helps meets the Article 25 requirement to protect the data as it is processed.
Basically, when you determine how you’ll process data, and when you actually process that data, you need to have sufficient security measures in place to protect it. The GDPR refers to this as“data protection by design and by default” and identifies pseudonymisation as a clear-cut way to accomplish it.
Additionally, pseudonymisation can provide a safeguard against the inherent risk of data processing.
Article 32 mandates that “the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk” including “the pseudonymisation and encryption of personal data.”
Again, we see pseudonymisation identified as a clear winner for reducing risk to personal data.
Additionally, if you’re processing data “for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes,” this data is “subject to appropriate safeguards…in order to ensure respect for the principle of data minimization.”
Pseudonymisation is offered as a potential component of these safeguards, “provided that those purposes can be fulfilled in that manner.” (Article 89)
The GDPR encourages organizations to pay attention to their particular level of risk, but is not afraid to identify pseudonymisation as a potential means to reduce that risk.
What You Should Know About Pseudonymisation
Just because data has undergone pseudonymisation does not mean it is no longer subject to the strict processing requirements of the GDPR.
Article 26 states that “Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.”
So, while pseudonymisation can add a layer of security to data processing, the GDPR still specifies that it is personal data and should be treated as such.
GDPR compliance requires not just an understanding of its component parts, like pseudonymisation, but a clear understanding of the big picture of data security. LBMC’s GDPR compliance services can help you determine exactly how the GDPR applies to your organization and how you can prepare for it.
Get in touch with us today to learn more about what the GDPR means for your company and how you can stay compliant.