Menu
Call us
+31 (0) 85 0711080
Mail us
info@dpoconsultancy.nl
MenuClose

The European Data Protection Board (EDPB) has recently published its Guidelines on Pseudonymisation under the General Data Protection Regulation (GDPR). These guidelines provide critical insights into how pseudonymisation can be used effectively as a safeguard for data protection. Below, we unpack the key takeaways and their implications for organizations handling personal data.

What Is Pseudonymisation Under the GDPR?

Pseudonymisation is defined in Article 4(5) of the GDPR as the processing of personal data in a way that it can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organizational measures.

While pseudonymisation reduces the risks associated with data processing, it is important to note that it does not render the data anonymous. Pseudonymised data remains personal data and is therefore still subject to GDPR obligations.

Key Points from the EDPB Guidelines

  1. Enhanced Definition and Scope:
    • The guidelines clarify the distinction between pseudonymisation and anonymisation, emphasizing that pseudonymisation is a reversible process and, as such, cannot provide the same level of data protection as anonymisation.
    • Examples of pseudonymisation techniques include replacing direct identifiers (e.g., names or social security numbers) with codes or tokens and using cryptographic measures.
  2. Legal Basis for Processing Pseudonymised Data:
    • The EDPB reiterates that pseudonymisation does not exempt organizations from GDPR requirements. A valid legal basis for processing is still required.
    • Pseudonymisation can, however, enable organizations to rely on specific legal bases more securely, such as legitimate interests or scientific research.
  3. Technical and Organizational Measures:
    • The guidelines highlight the need for robust technical and organizational measures to ensure that pseudonymised data cannot be re-identified without authorized access.
    • Examples of such measures include:
      • Strong encryption techniques.
      • Access controls to segregate pseudonymised data from the additional information required to re-identify individuals.
      • Regular audits and testing of security measures.
  4. Benefits of Pseudonymisation:
    • Risk Reduction: Pseudonymisation can significantly reduce the risks to data subjects in case of a breach.
    • Compliance Flexibility: It can facilitate compliance with principles such as data minimization and purpose limitation by enabling secondary use of data for compatible purposes without excessive risk.
    • Cross-Border Data Transfers: Pseudonymisation can serve as an additional safeguard when transferring data to third countries, complementing other measures like Standard Contractual Clauses (SCCs).
  5. Use Cases and Practical Applications:
    • The guidelines provide practical examples of pseudonymisation in various sectors. For instance, in the healthcare sector, patient data can be pseudonymised by replacing names and dates of birth with unique codes. The mapping between the codes and the original identifiers is stored separately with strict access controls. This allows researchers to process medical data for studies while minimizing the risk of exposing patient identities.

Implications for Organizations

Organizations handling personal data should take the following steps to align with the EDPB’s guidance:

  • Assess Current Practices: Review existing data processing activities to identify opportunities for pseudonymisation.
  • Implement Strong Safeguards: Adopt robust technical and organizational measures to prevent unauthorized re-identification.
  • Document Compliance: Maintain thorough records of pseudonymisation processes, including the rationale for their use and the safeguards in place.
  • Train Employees: Ensure that staff members understand the distinction between pseudonymisation and anonymisation and are aware of the specific measures required for compliance.

Looking Ahead

The EDPB’s guidelines offer valuable clarity on pseudonymisation and its role within the GDPR framework. By implementing these practices, organizations can enhance data protection, reduce risks, and unlock opportunities for data innovation while remaining compliant with the GDPR.

As these guidelines come into effect, organizations are encouraged to stay updated and consult their Data Protection Officer (DPO) or privacy team to ensure compliance. By doing so, they can turn pseudonymisation from a compliance requirement into a strategic advantage.

For more insights on GDPR and data protection practices, feel free to reach out to our team or explore our resources.