Comparing the benefits of pseudonymisation and anonymisation under the GDPR
Journal of Data Protection & Privacy: new White Paper by Mike Hintze and Dr. Khaled El Emam
Journal of Data Protection & Privacy,
Volume 2, Number 2, 1 December 2018, pp. 145-158(14)
Many organisations are trying to obtain more value from their data to improve their products and services, offer new ones and optimise their own internal operations. For example, more chief data officers, or similar roles, are being created to drive such data-enabled transitions. With the General Data Protection Regulation (GDPR) in place, these organisations need to determine the lawful basis for such activities. De-identification techniques, such as pseudonymisation and anonymisation, can play an important role in facilitating such secondary uses and disclosures of data. In regard to de-identification, the GDPR introduces nuances that have not previously been seen, recognising the existence of different levels of de-identification and explicitly adding references to pseudonymisation as an intermediate form of de-identification. This paper explores the nuances introduced by the GDPR, compares the benefits of the different levels of de-identification found in the regulation, and provides practical guidance for using de-identification as a tool for addressing different GDPR compliance obligations.
Go here to access the article and White Paper:
About the authors:
Mike Hintze is a Partner at Hintze Law PLLC, Seattle, Washington. As a recognized leader in the field with more than 20 years of experience in privacy and data protection, he advises companies, industry associations, and other organizations on global privacy and data protection compliance and strategy. “I understand the need for pragmatic and actionable advice that enables my clients to meet their objectives while complying with the law and managing risk.”
Mr. Hintze was previously Chief Privacy Counsel at Microsoft, where, for over 18 years, he counselled on data protection compliance globally, and helped lead the company’s strategic initiatives on privacy differentiation and public policy. He also teaches privacy law at the University of Washington School of Law, serves as an advisor to the American Law Institute’s project on Information Privacy Principles, and has served on multiple advisory boards for the International Association of Privacy Professionals and other organizations. Mr. Hintze is a Senior Fellow at FPF (Future of Privacy Forum).
Dr. Khaled El Emam is the founder of Privacy Analytics Inc. As an entrepreneur, Khaled helped found five companies involved with data management and data analytics. He has worked in technical and management positions in academic and business settings in England, Scotland and Japan.
Khaled is also a senior scientist at the Children’s Hospital of Eastern Ontario (CHEO) Research Institute and Director of the multi-disciplinary Electronic Health Information Laboratory (EHIL) team, conducting academic research on de-identification and re-identification risk. He is a world-renowned expert in statistical de-identification and re-identification risk measurement. He is one of only a handful of individual experts in North America qualified to anonymize Protected Health Information under the HIPAA Privacy Rule. Previously, Khaled was a Senior Research Officer at the National Research Council of Canada. He also served as the head of the Quantitative Methods Group at the Fraunhofer Institute in Kaiserslautern, Germany.
Khaled was one of the first Privacy by Design Ambassadors recognized by the Ontario Information and Privacy Commissioner. He previously held the Canada Research Chair in Electronic Health Information at the University of Ottawa and is an Associate Professor in the Faculty of Medicine at the University. He has a PhD from the Department of Electrical and Electronics Engineering, King’s College, at the University of London, England.
Dr. El Emam is solicited for speaking engagements, conferences, and media events worldwide.
His books include Anonymizing Health Data: Case Studies and Methods to Get You Started with Luk Arbuckle (O’Reilly 2014).
About Journal of Data Protection & Privacy:
Journal of Data Protection & Privacy is the major professional journal publishing in-depth, peer-reviewed articles, case studies and applied research on all aspects of data protection and privacy practice across the European Union and other jurisdictions, in the wake of the new EU General Data Protection Regulation (GDPR) and the biggest change in data protection and privacy for two decades.
Guided by its expert Editor and a distinguished Editorial Board, each quarterly 100-page issue – published in print and online – provides an international forum for detailed, practical and thought-provoking articles from leading professionals and researchers on a wide range of regulatory, compliance, risk management and board governance issues. In addition, Journal of Data Protection & Privacy explores innovative strategies, tools and techniques and emerging trends that impact the business continuity of all private, public sector/Government and charitable/NGOs and professional bodies and associations.
JDPP publishes in-depth analysis of new thinking and practice from diverse authors at a wide range of institutions enabling readers to benchmark their organisation. Every published article is peer-reviewed by experts drawn from the journal’s Editorial Board.
About the Publisher:
Henry Stewart Publications is a leading publisher of vocational journals that support employability and career development. It specialises in journals which combine contributions from senior practitioners and respected consultancies with applied research from leading academics in the field.
Each journal’s core objective is to publish in-depth articles, real case studies and applied research that are of the highest intellectual standards and of direct relevance to practitioners.
- Turn Data Assets into Business Opportunity Under CCPADecember 19, 2019
- How does risk-based anonymization work?December 18, 2019
- Why should I use Expert Determination over Safe Harbor?December 18, 2019
- What do I need to know about GDPR, HIPAA and CCPA to meet our regulatory and privacy obligations?December 18, 2019
- Should we invest in building our own de-identification capability?December 17, 2019
- GDPR and The Future of Clinical Trials Data SharingMarch 18, 2019
- Advancing Principled Data Practices in Support of Emerging TechnologiesMarch 15, 2019
- “Zero Risk Does Not Exist”February 7, 2019
- Is Anonymization Possible with Current Technologies?January 9, 2019
- Comparing the benefits of pseudonymisation and anonymisation under the GDPRDecember 20, 2018