Personal Data Deindetification: Pseudonymization
GDPR has certainly been a main headline in the news recently, but many are still confused about what it is, why they need to be in compliance, and how to get there. The GDPR, or General Data Protection Regulation, offers many guidelines for companies to become compliant with these new laws (which are going into effect at the end of May 2018).
In the GDPR, it is explicitly recommended that companies practice pseudonymization for the personal data they store. This is only one of several recommended ways for companies to reduce the risk of data leaks. This tactic enhances privacy while also making it easier for organizations to process the personal data they store in a way that goes beyond the original data collection purposes.
Pseudonymization for GDPR
Pseudonymization is used to reduce the chances that a personal data record and its identifiers lead to the identification of the data subject (person) who that data belongs to. Identifiers enable a person with a data set to identify a data subject. Thus, pseudonymization works by replacing most identifying fields of a record with one or more pseudonyms, which are "fictional identifiers". These fictional identifiers could be codes, data strings that appear real but are not, randomly generated tokens, and so on.
With this method, you greatly decrease the chances of anyone being able to identify the original subject based on the pseudonymized record. With pseudonymization, you only use real data where real data is needed. Your database will need to be classified and analyzed to remove any sensitive data that will not be needed by your organization.
As you likely already know, the GDPR is requiring organizations to explicitly justify their reasoning behind each piece of data they collect and store. Organizations will also now be required to limit their usage of data to what they have explicitly stated the data will be used for when the person provided them with that data. However, with pseudonymization and other techniques that work to de-link a data record from a data subject, organizations will have more freedom to use this data.
In this way, pseudonymization enables organizations to use the data they have at their disposal more safely and more extensively with less worry about the privacy of the data subject, since some (or even all) of the sensitive and identifying data has been changed, generalized, or removed.
Of course, it is important for organizations to keep in mind that this method is not the easiest solution in many circumstances. Although it is recommended, it can be difficult to implement, especially with organizations now scrambling to be in compliance with GDPR. This is a method to keep in mind for future purposes, though.
Numerous methods of pseudonymization are available on the market, and they come at a variety of different price points and security guarantees. They can also slow down processes. Organizations need to consider the sensitivity of the data they are process (de-pseudonymization is possible) and the impact this method will have on assessing their data subjects.
The GDPR marks the first time pseudonymization is being introduced to the European Union's data protection and privacy laws. However, this is unlikely to be your organization's ticket to GDPR compliance in itself. This, like all data security methods, should be combined with other techniques to give your organization a more complete and balanced approach to data security and privacy.
Finally, educate yourself on the GDPR myths. One of the biggest ones right now is that, so long as you have encryption and pseudonymization in place, you're good to go. That's simply not the case.
Be certain that your organization has thoroughly reviewed all of the GDPR guidelines and that you will be in compliance when it officially begins. The GDPR guidelines have far-reaching boundaries and extensive compliance regulations, along with extensive fines for those who fail to be in compliance.
Most Recent Articles
You Might Be Interested in Reading These Articles
The year 2018 will, at least in Europe, be a turning point for data privacy and personal information protection. In this article, I will focus on personal data processing. I describe methods of de-identification of personal data, such as pseudonymization, anonymization, and encryption.
Published on November 28, 2017
zScanner is a mobile application for clinical and medical photo documentation. zScanner enables doctors to take photos of patient medical records, and of injuries of the patients, and upload them to a hospital information system. zScanner is an application developed and used by IKEM, a major Czech hospital, and the largest center of clinical and experimental medicine in the Czech Republic.
Published on May 12, 2019
Cellphone instead of a filing cabinet. Until quite recently, doctors at the IKEM hospital in Prague needed to perform photo documentation by first taking pictures with a digital camera, and then downloading and/or uploading them via a computer network to patient cards. A solution to this tedious and time-consuming practice was made possible through the use of mobile scanning technology.
Published on December 10, 2019