The General Data Protection Regulation (GDPR) defines the term "pseudonymization" for the first time in EU law and mentions it as a specific protective measure. Despite the legal definition, there have been uncertainties in the past regarding its implementation in practice. For this reason, the European Data Protection Board (EDPB) published new guidelines on pseudonymization on 16 January, which are intended to provide greater clarity.
Pseudonymization in accordance with Art. 4 para. 5 GDPR
According to Art. 4 (5) GDPR, pseudonymization means "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information."
It is a measure that can reduce risks for data subjects and help controllers and processors to comply with their data protection obligations.
The EDPB guidelines are now intended to help data controllers meet their data protection obligations through technology design, data protection-friendly default settings and security.
Goals and advantages of pseudonymization
Pseudonymization reduces data protection risks such as unauthorized access or misuse and at the same time supports analyses without enabling the direct identifiability of the persons concerned.
It serves to minimize confidentiality risks, comply with the purpose limitation principle and increase transparency and security.
However, pseudonymized data remains personal if additional information enables an assignment. The EDPB writes in its guidelines: "Pseudonymized data that can be attributed to a natural person through the use of additional information is to be considered as information about an identifiable natural person and is therefore personal." This also applies if pseudonymized data and additional information are not held by the same person.
At the same time, the EDPB emphasizes that the GDPR does not provide for a general obligation to pseudonymize. Rather, it is up to the controller to decide on the means of fulfilling its obligations, taking into account the principle of accountability.
Reading tip: Anonymization of personal data - a practical guide
Measures for effective pseudonymization
According to the EDSA, three measures must be taken to carry out effective pseudonymization:
- Data modification, e.g. by removing identifiers: To do this, the data must be changed or converted.
- Access control: Additional information that allows personal data to be assigned to a specific data subject must be stored separately. This can be done using a pseudonymization key. This must be done separately from the persons who are to be prevented from such an assignment.
- Technical and organizational measures must be taken to ensure that the personal data cannot be attributed to an identified or identifiable natural person. In particular, unauthorized use of the data must be prevented. To this end, it is advisable to set up a pseudonymization area that defines the framework conditions for data processing.
Pseudonymization is a flexible tool to promote data protection and enables data processors to comply with legal requirements, minimize risks and at the same time maintain the analytical capability of the data. However, its effectiveness depends to a large extent on careful implementation and analysis of the processing context.
In the new guidelines, the EDPB provides detailed recommendations for implementation based on specific practical examples. The guidelines will be made available for public consultation until February 28 in order to give interest groups the opportunity to comment and to take into account current developments in case law.
Source: Guidelines of the European Data Protection Board on pseudonymization
Find out how Ailance can help you to automatically anonymize and pseudonymize personal data. We are happy to advise you! Simply get in touch with us:
Phone: +1 (954) 852-1633
Mail: info@2b-advice.com