GDPR: Pseudonymisation vs Anonymisation
Unlike the Data Protection Act, the new EU General Data Protection Regulations make specific recommendations with regards to securing Personally Identifiable Information (PII). There are a few misconceptions flying around with regards to what these actually are and how they are covered in GDPR. Pseudonymisation is one of these encouraged strategies.
... and there is nothing like a new bit of legislation to bring some very long words into the vernacular!
Anonymisation
This is the process by which all references to the individual are removed from a data set, so that even if you cross referenced back to another data source, you could not tie the data back to the individual and importantly, the anonymisation process cannot be reversed.
Anonymised data is not PII and is therefore not within scope of GDPR. This can be used for any analysis or processing without the need for consent.
An example of anonymization:
Original record containing PII:
Mr Joe Bloggs; DOB: 06/06/1966; Postcode: E1 1XX; Virgin Media Customer; A/C No: 123456; watched Sky Sports 1 on 09/08/2017 09:00-10:00
Anonymised record:
The simplest form of anonymization is to completely obfuscate data. The information below may be useful to Sky Sports as it gives them viewing metrics, but that’s about all.
Xxxxxxx; watched Sky Sports 1 on 09/08/2017 09:00-10:00
An alternative is to categorise data into higher level segments but ensure that there is no way to reverse the segmentation. This requires a degree of care, as if you reviewed all of the data, cross referenced against other data sources, and it could only point to one person, then it would be PII.
The following would be absolutely safe; there are probably thousands of Virgin Media customers between 50-60, living in London, who watched Sky Sports 1 on that day:
Male; Aged: 50-60; living in London; Virgin Media Customer; watched Sky Sports 1 on 09/08/2017
The following would be less safe and you may want to consider further steps, especially if there were only 4 houses in Cow Close:
Male; Aged: 51; Living in Cow Close, London; Virgin Media Customer; watched Sky Sports 1 on 09/08/2017 at 09:00–10:00.
On a final note: IP addresses are now clearly defined as PII in GDPR and so any data that contains an IP address cannot be considered anonymised.
Pseudonymisation
This is a process by which the most identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms, to provide a level of security against data breach. There will however remain a link between datasets that mean you ‘could’ trace the data back to the PII. Whilst it provides a level of protection it is important to recognise that pseudonymised data is still deemed PII under GDPR and is therefore in scope of the legislation and required controls.
An example of Pseudonymisation:
Taking the above record, the simplest example of a pseudonymised record could be:
A/C No: 123456; watched Sky Sports 1 on 09/08/2017 09:00-10:00
Whilst on its own the above record does not contain any obvious PII, it is reasonable to assume that in another database there is a clear link between the account number and the account holder.
Ns Kpf Cmphht; Aged: 50-60; Living in London; Virgin Media Customer; watched Sky Sports 1 on 09/08/2017 09:00-10:00
Whilst the name has been tokenised (with a simple algorithm to be fair), this could be cross referenced against another database with the key to reverse the algorithm, to identify that it was Joe Bloggs who should have been at work, rather than watching Sky Sports. Even replacing data with a randomised Primary Key reference, still retains the link to the personal data and is therefore in scope.
Finally, additional controls are required in GDPR with regards to the highest risk data, or ‘Special Categories’, such as Ethnicity, Religious Beliefs, Trade Union Membership etc. Whist I am sure that pseudonymising these categories of data will be encouraged, it does not remove the risk and the additional controls will still be mandated.
