11 February 2020
Ever since the GDPR recommended these data security measures, these previously obscure concepts have become hot topics of discussion among business owners. In case you're still not sure what the difference is between the two, here are some definitions:
Pseudonymization - a data management procedure by which personally identifiable information fields within a consumer data record are replaced by one or more artificial identifiers, or pseudonyms, which may be recalled at a later date to re-identify the record.
Anonymization - the process of either encrypting or removing personally identifiable information from data sets so that the people whom the data describes remain permanently anonymous.
Both methods involve masking personal data by removing or encrypting the data that makes it possible to link the information to an individual, such as name, address, or credit card number.
However, the difference between the two is that pseudonymization can be reversed. Using separately held information, such as an encryption key, one can retrieve the identifiable information when needed to link the data back to an individual.
Once data has been anonymized, however, it can never be linked back to an individual. Anonymization is permanent.
The GDPR makes numerous and specific mentions of data masking.
Here are some examples:
In Article 5, the GDPR states that personal data should be retained only as long as it is necessary to provide a service. After that, it may be retained if the data no longer permits the identification of individuals.
In Article 25, the GDPR describes the requirement of businesses to take all reasonable measures to protect consumer data, by default and by design. It specifically mentions pseudonymization as a way to accomplish this.
In Recital 26, the GDPR specifies that certain data protection measures will not apply to anonymous information that can no longer identify a natural person.
Security is a key point of the GDPR. Article 32 specifically mentions pseudonymization as an appropriate measure of security to protect the privacy of consumers.
According to Article 34, a company must inform users of a high-risk data breach that affects them unless organizational protection measures have rendered the information unintelligible or unidentifiable - such as through pseudonymization or anonymization.
Data masking is not absolutely required by the GDPR. However, it is highly recommended. In fact, the regulation offers incentives for implementing data masking techniques.
Here's a graph from a Privacy Analytics white paper about the topic:
When it comes to the question of pseudonymization versus anonymization, the business must consider its applications and usage of personal data.
Here are some situations in which you may want to use anonymization instead of pseudonymization:
On the other hand, data pseudonymization can be used when you will need to re-identify users in the future:
Overall, both of these methods present advantages under the GDPR, but may not be feasible for certain data sets or applications. Do your research about all of the implications before performing any data masking measures.