Comparing Pseudonymization and Anonymization
Comparing Under the GDPR
In May 2018, the General Data Protection Regulation (GDPR) will come into effect, establishing a new set of rules for data protection in the European Union. The GDPR will replace the 1995 Data Protection Directive, building upon the key elements and principles of the Directive while adding new rights for individuals and new obligations on data controllers and data processors.
Compared to the 1995 Directive, the GDPR addresses de-identification in a more nuanced way. While the GDPR maintains the same high standard for achieving anonymization, it recognizes the existence of different levels of de-identification and it explicitly adds references to an intermediate form of de-identification: pseudonymization.
“Pseudonymization” commonly refers to a de-identification method that removes or replaces direct identifiers (names, phone numbers, government-issued ID numbers, etc.) from a data set, but may leave in place data that could indirectly identify a person (often referred to as quasi-identifiers or indirect identifiers). Applying such a method, and nothing else, might be called “simple pseudonymization.” Frequently, security and privacy controls designed to prevent the unauthorized re-identification of data are applied on top of simple pseudonymization to create strong pseudonymization.
By contrast, “anonymization” as used in this paper refers to an even stronger form of deidentification. Assuming strong anonymization methods are being used, these methods would be considered acceptable by European data protection authorities. Fully anonymized data that meets the legal bar set by European data protection law is no longer “personal data,” therefore is not subject to the obligations of the GDPR at all. Thus, the benefits of pseudonymization pale in comparison to the benefits of full anonymization.
This white paper compares the benefits of pseudonymization against anonymization. While pseudonymization can form part of an overall GDPR compliance strategy in certain cases, it does not result in complete relief from GDPR obligations in the way anonymization does. Organizations should not confuse the limited advantages of pseudonymization with the far more sweeping advantages of anonymization.