Personal Data Deindetification: Pseudonymization
GDPR has certainly been a main headline in the news recently, but many are still confused about what it is, why they need to be in compliance, and how to get there. The GDPR, or General Data Protection Regulation, offers many guidelines for companies to become compliant with these new laws (which are going into effect at the end of May 2018).
In the GDPR, it is explicitly recommended that companies practice pseudonymization for the personal data they store. This is only one of several recommended ways for companies to reduce the risk of data leaks. This tactic enhances privacy while also making it easier for organizations to process the personal data they store in a way that goes beyond the original data collection purposes.
Pseudonymization for GDPR
Pseudonymization is used to reduce the chances that a personal data record and its identifiers lead to the identification of the data subject (person) who that data belongs to. Identifiers enable a person with a data set to identify a data subject. Thus, pseudonymization works by replacing most identifying fields of a record with one or more pseudonyms, which are "fictional identifiers". These fictional identifiers could be codes, data strings that appear real but are not, randomly generated tokens, and so on.
With this method, you greatly decrease the chances of anyone being able to identify the original subject based on the pseudonymized record. With pseudonymization, you only use real data where real data is needed. Your database will need to be classified and analyzed to remove any sensitive data that will not be needed by your organization.
As you likely already know, the GDPR is requiring organizations to explicitly justify their reasoning behind each piece of data they collect and store. Organizations will also now be required to limit their usage of data to what they have explicitly stated the data will be used for when the person provided them with that data. However, with pseudonymization and other techniques that work to de-link a data record from a data subject, organizations will have more freedom to use this data.
In this way, pseudonymization enables organizations to use the data they have at their disposal more safely and more extensively with less worry about the privacy of the data subject, since some (or even all) of the sensitive and identifying data has been changed, generalized, or removed.
Of course, it is important for organizations to keep in mind that this method is not the easiest solution in many circumstances. Although it is recommended, it can be difficult to implement, especially with organizations now scrambling to be in compliance with GDPR. This is a method to keep in mind for future purposes, though.
Numerous methods of pseudonymization are available on the market, and they come at a variety of different price points and security guarantees. They can also slow down processes. Organizations need to consider the sensitivity of the data they are process (de-pseudonymization is possible) and the impact this method will have on assessing their data subjects.
The GDPR marks the first time pseudonymization is being introduced to the European Union's data protection and privacy laws. However, this is unlikely to be your organization's ticket to GDPR compliance in itself. This, like all data security methods, should be combined with other techniques to give your organization a more complete and balanced approach to data security and privacy.
Finally, educate yourself on the GDPR myths. One of the biggest ones right now is that, so long as you have encryption and pseudonymization in place, you're good to go. That's simply not the case.
Be certain that your organization has thoroughly reviewed all of the GDPR guidelines and that you will be in compliance when it officially begins. The GDPR guidelines have far-reaching boundaries and extensive compliance regulations, along with extensive fines for those who fail to be in compliance.
Most Recent Articles
- A beginner-friendly intro to the Correlator for effective cybersecurity detection
- Inotify in ASAB Library
- From State Machine to Stateless Microservice
- Entangled ways of product development in the area of cybersecurity #3 - LogMan.io
- Entangled ways of product development in the area of cybersecurity #2 - BitSwan
You Might Be Interested in Reading These Articles
Personal Data Deindetification: Data masking (or suppression)
Data masking (or suppression) represents the de fact standard of pseudonymisation. Pseudonymisation is a critical part of GDPR compliance although there are no explicit GDPR pseudonymisation requirements. The regulation vaguely states that businesses must enforce safeguards and security measures to protect all consumer data that they handle. The GDPR refers to pseudonymization and encryption as “appropriate technical and organizational measures.
Published on June 11, 2018
TeskaLabs has become a leader of Mobile Healthcare applications in the Health (in) Future Platform
Cellphone instead of a filing cabinet. Until quite recently, doctors at the IKEM hospital in Prague needed to perform photo documentation by first taking pictures with a digital camera, and then downloading and/or uploading them via a computer network to patient cards. A solution to this tedious and time-consuming practice was made possible through the use of mobile scanning technology.
Published on December 10, 2019
TeskaLabs helps LINET with cyber security compliance for medical devices
LINET is a major European manufacturer of hospital and nursing beds. The company´s portfolio includes solutions designed for intensive care, products for regular in-bed treatment, and also special beds for retirement homes and long-term care facilities.
Published on October 16, 2020