Pseudonymisation under GDPR: EDPB’s Latest Guidelines

While the GDPR does not impose an obligation to use pseudonymisation, the Guidelines note that it may be required or recommended in certain circumstances under national law and it is otherwise a popular method for controllers seeking to safeguard personal data and to fulfil the controller’s data protection obligations.  This briefing summarises some of the key information contained in the Guidelines.

What is Pseudonymisation?

Pseudonymisation is defined in Article 4(5) GDPR as “the processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”.

The desired effect of pseudonymisation is to control the attribution of personal data to specific data subjects by denying this ability to some persons or parties. To achieve the desired effect, controllers need to modify or transform the data. Pseudonymisation will often be reversable so that the original data can be obtained as and when needed. 

Importantly, pseudonymised data which may be attributed to a natural person by the use of additional information remains personal data under the GDPR, therefore its processing must still comply with data processing obligations under the GDPR, including Article 5 containing the principles of data processing and the requirement in Article 6 to have a legal basis for the processing.

Objectives and Advantages of Pseudonymisation 

Risk Reduction: Pseudonymisation reduces confidentiality risks by preventing the disclosure of direct identifiers and mitigating the severity of unauthorised access. It also reduces the risk that personal data is further processed in a manner that is incompatible with purposes for which it was collected and risks to accuracy of the data. The Guidelines helpfully note that the risk reduction effect of pseudonymisation may allow a controller to rely on legitimate interest under Article 6(1)(f) GDPR where they might otherwise be unable to do so and helps to guarantee an essentially equivalent level of protection of personal data which it is intended will be exported.

Data Analysis: The Guidelines indicate that pseudonymisation can be useful as it allows for the analysis of data while protecting the identity of data subjects, enabling the linkage of various records without revealing personal information.

The ‘Pseudonymisation Domain’

The Guidelines introduce the concept of a pseudonymisation domain, which is the context within which pseudonymisation precludes the attribution of data to specific data subjects. This domain can be defined by the controller and may include specific organisational units or external recipients.

Compliance with Data Protection Requirements

Although well known to practitioners, the Guidelines helpfully acknowledge that pseudonymisation helps in adhering to data protection principles such as data minimisation, confidentiality, and purpose limitation. It also assists in complying with data protection by design and by default requirements, ensuring a level of security appropriate to the risks associated with the data processing and as a supplementary measure for third country data transfers.

Other Related Implications

Implications for Data Subject Rights: Since pseudonymised data is still considered personal data, the rights of data subjects under GDPR apply. However, if the controller cannot identify the data subject without additional information, the Guidelines indicate that certain rights may not apply unless the data subject provides additional information enabling their identification.

Unauthorised Reversal of Pseudonymisation: The Guidelines also note that any breach of security leading to the unauthorised reversal of pseudonymisation constitutes a personal data breach.

Technical Measures and Safeguards for Pseudonymisation

To ensure the effectiveness of pseudonymisation, technical and organisational measures should be implemented.  The Guidelines are unusually technical and detailed in this regard, but in summary indicate that:

• Pseudonymising Transformation - This involves modifying original data to prevent attribution to specific data subjects without additional information. Common methods include cryptographic algorithms and lookup tables.
• Preventing Unauthorised Attribution - To prevent the unauthorised attribution of pseudonymised data, measures should be taken in three directions. First, the pseudonymising transformation should be protected against reversal by choosing a suitable design and ensuring an appropriate level of security for the pseudonymisation secrets. Second, quasi-identifiers should be appropriately handled. Third, data controllers should ensure that their assumptions about the scope of the pseudonymisation domain, about the use of pseudonymised data and about the accessibility of relevant information sources within it are met.
• Controlling the scope for the linkage of pseudonymised data: The pseudonymisation domain should be properly secured and separated from additional information.

Examples of Pseudonymisation 

The Guidelines provide several real-world examples illustrating the use and benefits of pseudonymisation, including:

• Internal Analysis: Ensuring compliance with data minimisation and confidentiality principles while performing quality control on medical advice dispensed by an app.
• Separation of Functions: Minimising access to employee data while verifying the identity and qualifications of employees for subsidy applications.
• External Analysis: Retaining the link between data and data subjects while ensuring data minimisation and purpose limitation in the course of external analysis.
• Research: Collecting and linking data from independent sources for research purposes while preventing attribution to data subjects by employees of the data centre and research groups. 

How can we help?

Pseudonymisation is a valuable tool for reducing risks to data subjects and meeting data protection obligations under the GDPR.

For further guidance on pseudonymisation in your organisation, please contact one of the key contacts below, or your usual contact at McCann FitzGerald.