Last updated on 12 September 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
Anonymization and pseudonymization are two important ways of protecting personal information within your organization.
These concepts have been central to EU data protection law for many years, but with strict privacy laws emerging in the U.S. and elsewhere, organizations all over the world should now be considering how best to integrate these practices into their operations.
In this article, we'll be explaining what the differences are between these two methods of data masking, how an Anonymization and Pseudonymization Policy can help protect personal information within your organization, and outline the contents of this type of policy so you can create your own.
One of our many testimonials:
Anonymization and pseudonymization are two ways of processing personal information.
Anonymization and pseudonymization are not the same, as explained by the Article 29 Working Party, a now-retired working group that provided guidance on EU data protection law (at page 3 of the linked PDF):
Under EU law, anonymized data is not personal information, but pseudonymized data remains personal information.
Accordingly, anonymization means removing any references to an identifiable person from a data set, thus turning personal information into non-personal information.
Given the changing nature of technology, it is possible that some anonymized data sets might, one day, be subject to re-identification. However, this should not be reasonably possible in the current technological climate.
Anonymization is commonly used to depersonalize personal information before processing it for statistical purposes.
Pseudonymization is defined at Article 4 (5) of the GDPR:
A virtually identical definition appears at Section 1798.140 (r) of the California Consumer Privacy Act (CCPA):
There are several conditions inherent to this definition:
If any one of these conditions is not present, then pseudonymization has not taken place.
Maintaining an Anonymization and Pseudonymization Policy will help ensure you can demonstrate your compliance with the relevant laws and regulations, and it could reduce your liability under such laws.
Having a robust set of policies in place ensures everyone in your organization is on the same page when it comes to privacy and data protection, and this type of policy works in nicely.
Your Anonymization and Pseudonymization Policy will ensure that your employees understand the high standards that apply when anonymizing personal information.
The concept of "anonymization" is often misunderstood and misapplied.
A relatively common misapplication of "anonymization" involves the use of individuals' initials in place of their full name. This method is unlikely to even meet the threshold for "pseudonymized" personal information, let alone "anonymized."
In the context of EU law, anonymization is an effectively irreversible process that prevents the identification of individuals (using current technology). This is a high threshold.
Your Anonymization and Pseudonymization Policy will ensure that your employees understand that the re-identification of individuals from pseudonymized personal information must be very unlikely without reference to additional information.
The Policy will also make clear that any additional information used to re-identify individuals must be stored separately from the personal information, and appropriate security measures and access controls must be applied to it.
As with anonymization, the threshold for pseudonymization is also relatively high.
To return to the example above, the use of an individual's initials in place of their full name would probably not meet the threshold for pseudonymization.
Your employees must also understand that pseudonymized data remains "personal information," and, therefore, it must be presented to individuals in an intelligible form if they request access to it.
Another key benefit of creating an Anonymization and Pseudonymization Policy is that it will help ensure employees are anonymizing personal information wherever possible and appropriate.
The benefits of anonymization are clear. The GDPR states that data protection law does not apply to anonymous data at Recital 26:
This is confirmed by the Article 29 Working Party (at page 5, here):
The CCPA does not explicitly refer to anonymization, but given that the law uses a very similar definition of "personal information," it is reasonable to assume that anonymized data also falls outside of the scope of the CCPA.
Because privacy law no longer applies to anonymized data, this means:
Note, however, that other laws and regulations may still apply to anonymized data.
Anonymization and Pseudonymization Policy will ensure that your employees pseudonymize personal information whenever required.
The GDPR presents pseudonymization as a valid means of mitigating risks to privacy and fulfilling certain obligations to protect personal information. For example, at Recital 28:
At Article 25, pseudonymization is presented as a means by which to implement the principle of "data protection by design and by default":
Encrypting personal information also allows your company to escape liability for data breaches under some privacy laws (encryption being, under certain conditions, a form of pseudonymization).
For example, the New York Shield Act applies to businesses holding the "private information" of New York residents. Private information is defined as certain types of personal information that have not been encrypted. Therefore, it is possible that encrypting personal information could allow a business to escape the jurisdiction of this law altogether.
In addition to mitigating the risks once personal information has been compromised, pseudonymization also reduces the likelihood of a cyberattack. Ultimately, pseudonymous data is worthless to an attacker who does not have access to the additional information required to identify individuals.
Your reasons for using anonymization and pseudonymization will be specific to your organization. Therefore, every Anonymization and Pseudonymization Policy will be unique. However, here are some of the sections that are common to most Anonymization and Pseudonymization Policies, together with some examples from real organizations.
The "Scope" section of your Anonymization and Pseudonymization Policy explains whom the policy applies to and what activities it covers.
For example, your policy may apply to all members of staff and contractors, and it may apply to particular types of personal information or all personal information.
Here's an example of how to craft a "Scope" section from the Dundalk Institute of Technology:
Note that the policy applies whenever employees and third parties engage in the anonymization of personal information. When doing so, these parties must abide by the process and principles set out in the policy.
The "Purpose" section of your Anonymization and Pseudonymization Policy sets out the reasons for which the policy exists.
Broadly speaking, this is to protect personal information. But your policy may serve a more specific purpose within the context of your organization.
Here's an example of such a clause:
In addition to setting out the purpose of your policy, you may also wish to describe the purposes of anonymization and pseudonymization.
Here's an example that explains the benefits of anonymization to the reader:
Explaining the benefits of anonymization and pseudonymization will help ensure your employees adhere to your policy.
Your Anonymization and Pseudonymization Policy should provide definitions of anonymization and pseudonymization that are valid under the laws relevant to your organization. It should also define other terms commonly used throughout the policy.
Here's an example from Leicester City Council:
Your Anonymization and Pseudonymization Policy should explain who within your organization has responsibility for enforcing the policy and who is responsible for carrying out the processes of anonymization and pseudonymization.
Here's an example of how you can clearly set out different roles and responsibilities:
Your Anonymization and Pseudonymization Policy should set out a standardized process by which anonymization and pseudonymization must take place.
This is important to help ensure that your employees anonymize and pseudonymize personal information in a legally-compliant way.
The process will be largely specific to the context in which your organization operates, but there are certain standards that must nonetheless be met.
An effective anonymization process will make the re-identification of an individual from the anonymized personal information very unlikely.
The Article 29 Working Party provides a three-part test for assessing the effectiveness of an anonymization method.
Once the anonymization process has been carried out, the following three conditions should apply:
Here's an example of how to carry out effective anonymization, from Northumberland County Council:
The policy provides several methods of anonymization (referred to as "de-identification"), including using date ranges instead of age (e.g. 25-35 instead of 30).
The process of pseudonymization must ensure that individuals can be reidentified, but only where necessary.
Some methods of pseudonymization include encryption, hashing, and tokenization. However, these measures must meet certain conditions above before they can be considered pseudonymization methods.
For example, encrypted data is only pseudonymized if the encryption key is kept separately, securely, and with limitations on access.
Here's how Northumberland County Council describes some of the standards that must be met when pseudonymizing personal information:
Your Anonymization and Pseudonymization Policy should list the laws and regulations that apply to when anonymizing and pseudonymizing personal information.
Depending on where your customers are based, such laws may include:
Here's an example from Cambridgeshire County Council:
The GDPR makes numerous references to data masking techniques such as anonymization and pseudonymization.
Here are some examples:
Article 5 - Data Processing
In Article 5, the GDPR states that personal data should be retained only as long as it is necessary to provide a service. After that, it may be retained if the data no longer permits the identification of individuals:
Article 25 - Data Protection by Design
In Article 25, the GDPR describes the requirement of businesses to take all reasonable measures to protect consumer data, by default and by design. It specifically mentions pseudonymization as a way to accomplish this:
GDPR Recital 26
In Recital 26, the GDPR specifies that certain data protection measures will not apply to anonymous information that can no longer identify a natural person:
Article 32 - Security of Processing
Security is a key point of the GDPR. Article 32 specifically mentions pseudonymization as an appropriate measure of security to protect the privacy of consumers:
Article 34 - Informing Data Subjects of a Data Breach
According to Article 34, a company must inform users of a high-risk data breach that affects them unless organizational protection measures have rendered the information unintelligible or unidentifiable - such as through pseudonymization or anonymization:
Data masking is not absolutely required by the GDPR. However, it is highly recommended. In fact, the regulation offers incentives for implementing data masking techniques.
Here's a graph from a Privacy Analytics white paper about the topic:
When it comes to the question of pseudonymization versus anonymization, the business must consider its applications and usage of personal data.
Here are some situations in which you may want to use anonymization instead of pseudonymization:
On the other hand, data pseudonymization can be used when you will need to re-identify users in the future:
Overall, both of these methods present advantages under the GDPR, but may not be feasible for certain data sets or applications. Do your research about all of the implications before performing any data masking measures.
An Anonymization and Pseudonymization Policy can help ensure your employees are properly applying these important information security techniques to protect personal information within your information.
Some key parts of your policy should include:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
12 September 2022