Pseudonymization, Anonymization and the GDPR

Pseudonymization, Anonymization and the GDPR

Ever since the GDPR recommended these data security measures, these previously obscure concepts have become hot topics of discussion among business owners. In case you're still not sure what the difference is between the two, here are some definitions:

Pseudonymization - a data management procedure by which personally identifiable information fields within a consumer data record are replaced by one or more artificial identifiers, or pseudonyms, which may be recalled at a later date to re-identify the record.

Anonymization - the process of either encrypting or removing personally identifiable information from data sets so that the people whom the data describes remain permanently anonymous.


Key Difference between Pseudonymization and Anonymization

Both methods involve masking personal data by removing or encrypting the data that makes it possible to link the information to an individual, such as name, address, or credit card number.

However, the difference between the two is that pseudonymization can be reversed. Using separately held information, such as an encryption key, one can retrieve the identifiable information when needed to link the data back to an individual.

Once data has been anonymized, however, it can never be linked back to an individual. Anonymization is permanent.

The GDPR and Data Masking

The GDPR makes numerous and specific mentions of data masking.

Here are some examples:

Article 5 - Data Processing

GDPR Info: Article 5: Principles relating to processing of personal data: Full text

In Article 5, the GDPR states that personal data should be retained only as long as it is necessary to provide a service. After that, it may be retained if the data no longer permits the identification of individuals.

Article 25 - Data Protection by Design

GDPR Info: Article 25: Data protection by design and by default: Full text

In Article 25, the GDPR describes the requirement of businesses to take all reasonable measures to protect consumer data, by default and by design. It specifically mentions pseudonymization as a way to accomplish this.

GDPR Recital 26

GDPR Info: Recital 26: Not applicable to anonymous data: Full text

In Recital 26, the GDPR specifies that certain data protection measures will not apply to anonymous information that can no longer identify a natural person.

Article 32 - Security of Processing

GDPR Info: Article 32: Security of Processing: Full text

Security is a key point of the GDPR. Article 32 specifically mentions pseudonymization as an appropriate measure of security to protect the privacy of consumers.

Article 34 - Informing Data Subjects of a Data Breach

GDPR Info: Article 34: Communication of a personal data breach to the data subject: Full text

According to Article 34, a company must inform users of a high-risk data breach that affects them unless organizational protection measures have rendered the information unintelligible or unidentifiable - such as through pseudonymization or anonymization.

Advantages of Data Masking

Data masking is not absolutely required by the GDPR. However, it is highly recommended. In fact, the regulation offers incentives for implementing data masking techniques.

Here's how:

  • Meeting security requirements: By using techniques like pseudonymization and anonymization, you will comply with the requirement that businesses implement all possible measures to protect consumer data. If it happens that your company is ever investigated for any reason, data masking will provide an additional safeguard if your data security protocols come into question.
  • Communicating data breaches: If your data has been anonymized, you will not be required to inform (anonymized) users of a data breach that affects their information. This is because there won't be any way the breached data can be linked back to the individual.
  • Complying with user rights: Once data has been anonymized permanently, you will no longer be expected to comply with user rights and demands, such as the consumer's right to be erased or the right to request a full copy of user data.
  • Moving personal information across international borders: Although it is unclear what level of pseudonymization is required to transfer data over international borders without following a mountain of policies and red tape, data masking could reduce the number of hoops one must jump through to transfer data to another country.

Here's a graph from a Privacy Analytics white paper about the topic:

Graph from Privacy Analytics white paper: Comparing the Benefits of Pseudonymization and Anonymization Under the GDPR

Which Data Masking Technique is Better?

When it comes to the question of pseudonymization versus anonymization, the business must consider its applications and usage of personal data.

Here are some situations in which you may want to use anonymization instead of pseudonymization:

  • If you no longer need to communicate or work with a consumer, but wish to archive their activity, order history, or any other details that could not be used to identify them.
  • To perform data analyses that are unrelated to the services you provide the consumer.
  • If you need to make data available to a group of people outside those that are designated to fulfill your services, such as a wide group of employees or consultants.

On the other hand, data pseudonymization can be used when you will need to re-identify users in the future:

  • To keep data secure during the fulfillment of services, by masking identifying details to employees or other data handlers that do not need those details.
  • To maintain data protection within your database or records, order histories, and inactive customers that you remain in contact with.
  • To transfer data over international borders.
  • To maintain data protection and Privacy by Design principles laid out by the GDPR.

Overall, both of these methods present advantages under the GDPR, but may not be feasible for certain data sets or applications. Do your research about all of the implications before performing any data masking measures.

Jaclyn K.

Jaclyn K.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.