Lexicon > Pseudonymization

IT Glossary

Pseudonymization

Pseudonymization is a technical security measure that reduces the correlation of a set of personal data with the original identity of a data subject, contributing in particular to data protection by design and data protection by default, and may be included among the appropriate safeguards.

It consists in replacing an attribute, generally unique, by another one in a record, and consequently reduces the risk of correlation of a set of data.

However, pseudonymized data still allows for the individualization of a data subject and the correlation between different data sets.

Pseudonymization should therefore not be confused with anonymization, which consists of removing sufficient elements so that the data subject can no longer be identified by using all the means that can reasonably be implemented, either by the data controller or by a third party.

While pseudonymization is reversible,anonymization is irreversible.

Pseudonymized data does not prevent a data subject from being identifiable and therefore remains within the scope of the GDPR, which is not the case with anonymized data which falls outside the scope of the GDPR.

The main pseudonymization techniques are the following:

  • Secret key encryption system;
  • Chopping function, with or without salting;
  • Keyed hash function – with stored key or with key deletion;
  • Tokenization.

Regardless of the technique used, pseudonymization must necessarily allow the individualization of the data subject, who is identified by a unique attribute. In addition, the correlation between the data should still be possible by means of other attributes.

An unauthorized reversal of the pseudonymization procedure may result in a breach of personal data, causing a loss of control by data subjects over their data.

GDPR

Pseudonymization of personal data can reduce risks to data subjects and help data controllers and processors meet their data protection obligations. The explicit introduction of pseudonymization in this Regulation is not intended to exclude any other data protection measure.

In order to encourage pseudonymisation in the processing of personal data, pseudonymisation measures should be possible within the same controller, while allowing for general analysis, where the controller has taken the necessary technical and organisational measures to ensure, for the processing concerned, that this Regulation is implemented, and that additional information allowing the personal data to be attributed to a specific data subject is kept separately. The controller who processes personal data should indicate the persons authorized to do so within the same controller.”

Recitals 28 and 29 of the GDPR

Point of jurisprudence

The Slovenian supervisory authority recalls that “Encrypted personal data are pseudonymized personal data and therefore remain personal data (see Article 4(5) of the General Regulation), and are therefore not anonymous data, so the processing of pseudonymized personal data also requires an appropriate legal basis.

[…]

If unauthorized persons get their hands on pseudonymized personal information, it is the same as if they were given raw personal data, they will just take a little longer to identify the individuals. Truly anonymous data is only achieved through the use of specific anonymization methods and techniques (such as noise addition, permutation, differentiated privacy, aggregation, k-anonymity, l-diversity, and t-similarity) and not through simple encoding, encryption, or other mapping“.

Informacijski pooblaščenec, 30 March 2020, No. 07120-1/2020/25

The Bouchara firm assists you in particular in :

  • Making your organization RGPD compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.