Anonymization and pseudonymization of data

The Personal Data Protection Regulation requires that any each entity processing personal data should adapt its security systems to the level of the risk of data protection breaches. In this respect, the Regulation introduces two important provisions – anonymisation and pseudonymisation. Therefore, how should the security of personal data be increased?

Pseudonymization is a process that is required when data is stored to transform personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information. However, it is imperative that this data is not stored in the same place.

An example is the use of an identification number (instead of a full name and surname) and a limited data file.

When using pseudonymization, the administrator must ensure an appropriate division of tasks among those involved in this process. First of all, the administrator must designate a person responsible for assigning an identification number and a person who will have data enabling backward identification.

In addition to assigning roles, the administrator must also determine on what terms and in what cases backward identification of pseudonymized data is possible.

In Article 32 clause letter a of GDPR pseudonymization is mentioned as one of the technical and organizational measures that an administrator can use to improve data security.

Data anonymization is neither defined in the Personal Data Protection Act nor in the GDPR. It is mentioned only in item 26 of the GDPR recitals.

According to this provision, the principles of personal data protection should not apply to anonymised data, because anonymization is irreversible. Therefore, it is not possible to re-identify the persons to whom the data belongs because the data ceased to be personal. An example of data anonymization may be the removal of the so-called identifiers, e.g. name, surname or address of residence.

The basic feature that differentiates pseudonymization from anonymization is reversibility. Anonymization is an irreversible process, while by contrast pseudonymization is reversible. What is more important, pseudonymized data is still subject to regulations on the protection of personal data, and anonymised data no longer falls to this category. However, the direct introduction of pseudonymization to the GDPR does not serve to exclude other data protection measures.

*Author: Katarzyna Blachowicz, Attorney-at-Law, Junior Partner at  GWW