Understanding De-Identification Under GDPR

The GDPR is a set of rules that promotes the proper collection and processing of personal information from individuals within the territorial boundaries of the European Union (EU). A data breach or unauthorized access to personal information can be detrimental to companies. One way enterprises can comply with GDPR and safeguard data is through de-identification.

» What other methods can protect personal information? Discover best security practices for protecting PII

What Is De-identification?

Data de-identification is the practice of removing the association of any direct (name, address, telephone number) and indirect identifier (job title, postcode, or salary) of an individual from a business’s data and implementing security measures to prevent that information from being re-identified.

Types of De-identification

To fully understand de-identification, we must first distinguish between its two main types: anonymization and pseudonymization.

Anonymization

Anonymization involves removing all of a person’s direct and indirect identifiers. Additionally, technical precautions must be put in place to ensure the data can never again be linked to the individual.

When data is completely anonymized, and the individual cannot be identified, it no longer falls under the purview of the GDPR. Because of this, it is easier for businesses to utilize that data any way they see fit and keep it on file for as long as necessary.

Pseudonymization

The GDPR defines pseudonymization as

the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable individual.

It should be noted that this process is reversible, and with the right key, the person can be identified. Thus, a pseudonym is still regarded as personal data under GDPR.

Pseudonymization can be used when an enterprise wants to keep personal information because it still serves its original purpose. This is especially useful in day-to-day corporate operations where sensitive data is often handled, such as in HR, marketing, or IT departments, and in the healthcare sector where privacy is of the utmost importance.

Key Difference

Anonymization and pseudonymization are two ways of ensuring the security of data. However, anonymization entails irreversibly removing personal identifiers, while pseudonymization allows authorized access to that information.

Conclusion

Companies can benefit from combining the two procedures. However, pseudonymization may be a more practical approach since the data is not regarded as directly identifiable by the GDPR, and because it is not anonymized, it is still of value to the company.

» Is your business GDPR compliant? Learn how to ensure GDPR compliance