Personal Data Deindetification: Pseudonymization
GDPR has certainly been a main headline in the news recently, but many are still confused about what it is, why they need to be in compliance, and how to get there. The GDPR, or General Data Protection Regulation, offers many guidelines for companies to become compliant with these new laws (which are going into effect at the end of May 2018).
In the GDPR, it is explicitly recommended that companies practice pseudonymization for the personal data they store. This is only one of several recommended ways for companies to reduce the risk of data leaks. This tactic enhances privacy while also making it easier for organizations to process the personal data they store in a way that goes beyond the original data collection purposes.
Pseudonymization for GDPR
Pseudonymization is used to reduce the chances that a personal data record and its identifiers lead to the identification of the data subject (person) who that data belongs to. Identifiers enable a person with a data set to identify a data subject. Thus, pseudonymization works by replacing most identifying fields of a record with one or more pseudonyms, which are "fictional identifiers". These fictional identifiers could be codes, data strings that appear real but are not, randomly generated tokens, and so on.
With this method, you greatly decrease the chances of anyone being able to identify the original subject based on the pseudonymized record. With pseudonymization, you only use real data where real data is needed. Your database will need to be classified and analyzed to remove any sensitive data that will not be needed by your organization.
As you likely already know, the GDPR is requiring organizations to explicitly justify their reasoning behind each piece of data they collect and store. Organizations will also now be required to limit their usage of data to what they have explicitly stated the data will be used for when the person provided them with that data. However, with pseudonymization and other techniques that work to de-link a data record from a data subject, organizations will have more freedom to use this data.
In this way, pseudonymization enables organizations to use the data they have at their disposal more safely and more extensively with less worry about the privacy of the data subject, since some (or even all) of the sensitive and identifying data has been changed, generalized, or removed.
Of course, it is important for organizations to keep in mind that this method is not the easiest solution in many circumstances. Although it is recommended, it can be difficult to implement, especially with organizations now scrambling to be in compliance with GDPR. This is a method to keep in mind for future purposes, though.
Numerous methods of pseudonymization are available on the market, and they come at a variety of different price points and security guarantees. They can also slow down processes. Organizations need to consider the sensitivity of the data they are process (de-pseudonymization is possible) and the impact this method will have on assessing their data subjects.
The GDPR marks the first time pseudonymization is being introduced to the European Union's data protection and privacy laws. However, this is unlikely to be your organization's ticket to GDPR compliance in itself. This, like all data security methods, should be combined with other techniques to give your organization a more complete and balanced approach to data security and privacy.
Finally, educate yourself on the GDPR myths. One of the biggest ones right now is that, so long as you have encryption and pseudonymization in place, you're good to go. That's simply not the case.
Be certain that your organization has thoroughly reviewed all of the GDPR guidelines and that you will be in compliance when it officially begins. The GDPR guidelines have far-reaching boundaries and extensive compliance regulations, along with extensive fines for those who fail to be in compliance.
Most Recent Articles
- TeskaLabs helps LINET with cyber security compliance for medical devices
- TeskaLabs and University hospital in Pilsen launches a pilot of zScanner - open source mobile app for medical photo documentation
- EV Charging Station security demonstrator
- Five Ways AI And Machine Learning Can Enhance Cybersecurity Strategy
- C-ITS ITS-S Security microservice
You Might Be Interested in Reading These Articles
Data encryption is a critical part of GDPR compliance although there are no explicit GDPR encryption requirements. The regulation vaguely states that businesses must enforce safeguards and security measures to protect all consumer data that they handle. The GDPR refers to pseudonymization and encryption as “appropriate technical and organizational measures.
Published on September 13, 2018
Data masking (or suppression) represents the de fact standard of pseudonymisation. Pseudonymisation is a critical part of GDPR compliance although there are no explicit GDPR pseudonymisation requirements. The regulation vaguely states that businesses must enforce safeguards and security measures to protect all consumer data that they handle. The GDPR refers to pseudonymization and encryption as “appropriate technical and organizational measures.
Published on June 11, 2018
zScanner is a mobile application for clinical and medical photo documentation. zScanner enables doctors to take photos of patient medical records, and of injuries of the patients, and upload them to a hospital information system. zScanner is an application developed and used by IKEM, a major Czech hospital, and the largest center of clinical and experimental medicine in the Czech Republic.
Published on May 12, 2019