Pseudonymous data: processing personal data while mitigating risks

Thomas Zerdick, Head of Technology and Privacy

The first rule in data protection is: if you do not need personal data, do not collect personal data.

I believe that the second rule in data protection is: if you really need personal data, then start by pseudonymising this personal data.

Pseudonymisation is a foundational technique to mitigate data protection risks. The EU’s personal data protection legislation defines pseudonymisation as the processing of personal data in such a way that this data can no longer be attributed to a specific individual, without the use of additional information.

What differs pseudonymisation from anonymisation is that the latter consists of removing personal identifiers, aggregating data, or processing this data in a way that it can no longer be related to an identified or identifiable individual. Unlike anonymised data, pseudonymised data qualifies as personal data under the General Data Protection Regulation (GDPR). Therefore, the distinction between these two concepts should be preserved.

The EU’s GDPR makes it compulsory to delete or anonymise personal data when there is no (more) lawful purpose to keep it in a way that enables identification of an individual. However, pseudonymisation techniques offer technical and organisational measures to mitigate data protection risks when it is (still) necessary to process individuals’ personal data.

The GDPR refers to pseudonymisation as an example of an appropriate data protection safeguard in many circumstances, such as:

  • when assessing the lawfulness of processing based on compatible purposes;
  • when embedding data protection by design in an IT tool’s infrastructure and development;
  • a  measure to secure personal data;
  • a safeguard in a code of conduct,
  • a safeguard for processing activities that occur for archiving purposes in the public interest, or for scientific, statistical or historical research purposes.

To explore the topic in more detail, we held an IPEN webinar on 9 December 2021, titled Pseudonymous data: processing personal data while mitigating risks. We focused on the practical use of pseudonymisation techniques to mitigate these data protection risks when processing personal data. Our aim was to provide an opportunity to increase awareness on existing guidance, explore options and challenges, and offer organisations an understanding of the tools and advice available to implement pseudonymisation effectively.

One field where the use of pseudonymisation is used to safeguard the privacy of individuals is the health sector. Health data is a special category of personal data according to the GDPR, and, as such, must be strictly protected. When keeping a medical record of a patient, it is necessary to keep track of which data relates to whom. When making use of pseudonymisation, personal data is not replaced with other data, but it is protected through techniques of transformation and/or separation.

Initiatives such as the European Health Data Space, launched to promote better exchange and access to different types of health data, will provide the ground for a more extensive use of pseudonymous data. During our webinar, we learned how pseudonymisation techniques are used in the health sector and in the context of medical research.

More broadly, we explored common mistakes when using pseudonymisation techniques. We also learned that cryptography does not only serve as a cornerstone of privacy enhancing technologies, but can also be used in the context of pseudonymisation.

We will continue to organise our IPEN webinars to explore the developments in the domain of privacy engineering. We will also continue to work with our colleagues from other data protection authorities (DPAs), as well as researchers and developers, to observe the progress in the state of the art of data protection by default and by design.

As for the topic of pseudonymisation, the EDPS is contributing, together with the other DPAs of the EU/EEA, to the upcoming review of the European Data Protection Board’s guidelines on anonymisation and pseudonymisation techniques. External stakeholders will be able to have their say, via the process of public consultation, once the draft is published.

The video recordings and speakers' presentations of each session are available on the IPEN webinar webpage.

IPEN workshops bring together privacy experts and engineers from public authorities, industry, academia and civil society to discuss relevant challenges and developments for the technological implementation of data protection and privacy.