Pseudonymisation is the GDPR’s “escape hatch”

If you’ve been reading about the EU General Data Protection Regulation (GDPR), you probably know that massive changes to the way organisations collect personal data will soon be made. The days of stashing away as much data as possible and using it as and when the need arises are gone, as the Regulation mandates that information can only be collected if it meets certain lawful bases.

But this leaves out one important proviso of the GDPR. Its requirements don’t fully apply to information that has been “rendered anonymous in such a manner that the data subject is […] no longer identifiable”. This refers to two practices. The first, anonymisation, removes all personal data from data sets. However, this has very limited use, which is why the second practice, pseudonymisation, is much more popular.

Pseudonymisation only replaces part of the data set. For instance, an individual might be given a new name, address or date of birth. Unlike anonymised data, it’s still considered personal data and therefore subject to the GDPR, but the damage and repercussions of a breach of pseudonymised data are much less severe. As a result, the Economist refers to pseudonymisation as the GDPR’s “escape hatch”.

Why pseudonymise data?

Pseudonymised data is particularly useful for testing new systems, evaluating patterns in surveys or any other instance where the data doesn’t need to be tied to a specific person.

High-profile organisations such as Apple, Google and Uber have begun pseudonymising data so that data analysts can use the information without worrying about data privacy. This practice will soon become more common as organisations take advantage of its benefits.

One benefit is that pseudonymised data isn’t subject to the Regulation’s requirements surrounding individuals’ rights. After all, organisations can’t comply with a right of access if they don’t know who the data belongs to. Even if they could, the data subject would receive information that is, naturally, inaccurate.

Additionally, organisations that pseudonymise data are permitted to use it for purposes other than that for which it was originally collected. The Regulation states that “the existence of appropriate safeguards, which may include encryption or pseudonymisation” gives organisations more flexibility with data use. However, other uses must be “compatible” with the initial purposes – the meaning of that term is outlined in Article 6(4) of the Regulation.

More information

You can learn more about pseudonymisation and the Regulation’s other requirements by reading our GDPR compliance guide.

This free green paper provides an overview of the key changes introduced by the GDPR, the scope and impact of the Regulation and the areas that organisations need to focus on.

This green paper is also available in French, Italian and Spanish.

Leave a Reply

Your email address will not be published. Required fields are marked *