Personal Data Deindetification: Pseudonymization
GDPR has certainly been a main headline in the news recently, but many are still confused about what it is, why they need to be in compliance, and how to get there. The GDPR, or General Data Protection Regulation, offers many guidelines for companies to become compliant with these new laws (which are going into effect at the end of May 2018).
In the GDPR, it is explicitly recommended that companies practice pseudonymization for the personal data they store. This is only one of several recommended ways for companies to reduce the risk of data leaks. This tactic enhances privacy while also making it easier for organizations to process the personal data they store in a way that goes beyond the original data collection purposes.
Pseudonymization for GDPR
Pseudonymization is used to reduce the chances that a personal data record and its identifiers lead to the identification of the data subject (person) who that data belongs to. Identifiers enable a person with a data set to identify a data subject. Thus, pseudonymization works by replacing most identifying fields of a record with one or more pseudonyms, which are "fictional identifiers". These fictional identifiers could be codes, data strings that appear real but are not, randomly generated tokens, and so on.
With this method, you greatly decrease the chances of anyone being able to identify the original subject based on the pseudonymized record. With pseudonymization, you only use real data where real data is needed. Your database will need to be classified and analyzed to remove any sensitive data that will not be needed by your organization.
As you likely already know, the GDPR is requiring organizations to explicitly justify their reasoning behind each piece of data they collect and store. Organizations will also now be required to limit their usage of data to what they have explicitly stated the data will be used for when the person provided them with that data. However, with pseudonymization and other techniques that work to de-link a data record from a data subject, organizations will have more freedom to use this data.
In this way, pseudonymization enables organizations to use the data they have at their disposal more safely and more extensively with less worry about the privacy of the data subject, since some (or even all) of the sensitive and identifying data has been changed, generalized, or removed.
Of course, it is important for organizations to keep in mind that this method is not the easiest solution in many circumstances. Although it is recommended, it can be difficult to implement, especially with organizations now scrambling to be in compliance with GDPR. This is a method to keep in mind for future purposes, though.
Numerous methods of pseudonymization are available on the market, and they come at a variety of different price points and security guarantees. They can also slow down processes. Organizations need to consider the sensitivity of the data they are process (de-pseudonymization is possible) and the impact this method will have on assessing their data subjects.
The GDPR marks the first time pseudonymization is being introduced to the European Union's data protection and privacy laws. However, this is unlikely to be your organization's ticket to GDPR compliance in itself. This, like all data security methods, should be combined with other techniques to give your organization a more complete and balanced approach to data security and privacy.
Finally, educate yourself on the GDPR myths. One of the biggest ones right now is that, so long as you have encryption and pseudonymization in place, you're good to go. That's simply not the case.
Be certain that your organization has thoroughly reviewed all of the GDPR guidelines and that you will be in compliance when it officially begins. The GDPR guidelines have far-reaching boundaries and extensive compliance regulations, along with extensive fines for those who fail to be in compliance.
Data encryption tool for GDPRMore information
You Might Be Interested in Reading These Articles
The year 2018 will, at least in Europe, be a turning point for data privacy and personal information protection. In this article, I will focus on personal data processing. I describe methods of de-identification of personal data, such as pseudonymization, anonymization, and encryption.
Published on November 28, 2017
Modern healthcare is deeply intertwined with technology. From the sophisticated machines used for diagnosing disease to the enterprise systems that store patient records, it is extremely difficult to run any healthcare organization today without heavily relying on information technology.
Published on November 10, 2018
Homomorphic encryption is a special type of encryption invented by IBM. Encryption is a critical part of GDPR compliance although there are no explicit GDPR encryption requirements. The regulation vaguely states that businesses must enforce safeguards and security measures to protect all consumer data that they handle. The GDPR refers to pseudonymization and encryption as “appropriate technical and organizational measures.
Published on June 14, 2018