This article is written by Dilip Vishwakarma, pursuing Diploma in International Data Protection and Privacy Laws from Lawsikho. The article has been edited by Priyanka Mangaraj (Associate, LawSikho) and Dipshi Swara (Senior Associate, LawSikho).

Introduction

When the GDPR (General Data Protection Regulation) was introduced in May 2018, it replaced the Data Protection Directive 95/46/EC by setting new rules in the European Union with regards to data privacy.

The applicability of the GDPR is directly related to member states of the European Union, which will lead to a greater level of security to European Unions. Many companies have initiated privacy processes and procedures to comply with the GDPR which contains a number of new protections for EU data subjects and provides for significant fines and penalties for non-compliant data controllers and processors. 

An insight into GDPR

The GDPR has new obligations to resolve such matters as data subject consent (Article 7), the appointment of data protection officers (Article 37), trans-border data transfers (Article 45), breach notifications (Article 33), data pseudonymization (Article 4), data anonymization, data subjects rights (Article 21), rights of data controller (Article 24) and data processor (Article 28). 

The GDPR has two main technical terms: Anonymization and Pseudonymization through which it recognizes the privacy or security-enhancing effect and provides exceptions to many other provisions of the regulations when steps are taken to protect or guard personal data.

Recital 26 of the GDPR defines anonymization or anonymous information as “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable” and the GDPR does not apply to anonymized information. 

What is anonymization?

Anonymization is the process through which removal of personal identification can be done whether it’s direct or indirect that may lead to an individual being identified.  

An individual may be directly identified from their name, address, postcode, mobile number, picture or appearance, or some other unique personal characteristic.

An individual may be indirectly identifiable when certain data is linked together with other sources of information, including, their place of work, job designation, salary, their postcode, or even the fact that they have a specific diagnosis or disorder.

Once data is truly anonymized and individuals are no longer identifiable, the data will not fall within the scope of the GDPR and it becomes easier to use.

While there may be incentives for some organizations to process data in an anonymized form, this technique may devalue the data, so that it is no longer of use for some purposes. Therefore, before anonymization consideration should be given to the purposes for which the data is to be used.

What is pseudonymization?

“Pseudonymization” of data means replacing any identifying characteristics of data with a pseudonym, or, in other words, a value that does not allow the data subject to be directly identified. And it also replaces personal identifiers with non-identifying references or keys so that anyone working with the data is unable to identify the data subject without the key. This type of data may enjoy fewer processing restrictions under GDPR. 

Unlike anonymization, pseudonymized data falls within the GDPR’s regulatory reach. This technique can also be an effective security measure to help organizations comply with GDPR data minimization standards. For example, Article 25 lists pseudonymization as an “appropriate technical and organizational measure” to meet the requirements of the GDPR.

Recital 78 lists pseudonymizing data as a method that can be used to meet the GDPR’s principles of “data protection by design and data protection by default.”

Pseudonymized data also enjoys more freedom under the GDPR than non-pseudonymized, fully identified personal data. For instance, Article 6(4) of GDPR lists pseudonymization (and encryption) as a possible exception to the general rule that a controller cannot process data for a purpose other than for which it had been collected.

Under Article 9 of the GDPR, data controllers and data processors have been permitted to collect and use personal data of the data subjects in just about any way that they choose in a lawful manner.

This article will help you understand in brief the benefits of pseudonymization and how this technique may play an important role in GDPR compliance.

GDPR persuades pseudonymization of personal data

Pseudonymization is the process of separation of data from specific identifiers so that a connection to the identity is not possible without additional information saved separately.

Personal identifying information lies at the core of the GDPR. Any “personal data” which can be identified or defined as “information related to an identified or identifiable natural person” can be known as “data subject” and it falls under the GDPR.

As per Article 4(1) of the GDPR personal data consist of any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

For Example:

A university that wants to process personal data may consider a variety of lawful bases depending on what it wants to do with the data.

Universities are classified as public authorities, so the public task basis is likely to apply too much of their processing, depending on the detail of their constitutions and legal powers. If the processing is separate from their tasks as a public authority, then the university may instead wish to consider whether consent or legitimate interests are appropriate in the particular circumstances. For instance, a University might rely on public tasks for processing personal data for teaching and research purposes; but a mixture of legitimate interests and consent for alumni relations and fundraising purposes.

The university however needs to consider its basis carefully – it is the controller’s responsibility to be able to demonstrate which lawful basis applies to the particular processing purpose.

The GDPR does not apply to any data that is not related to or does not identify the identified or unidentified person or the data that is provided anonymously in a way that the data subject could not be identified for a long time.

The concept of pseudonymization has been introduced under the GDPR in the European data protection law.  It reduces risks from the perspective of the data subject, as a way for data controllers to enhance privacy and, among others, making it easier for controllers to process personal data beyond the original personal data collection purposes or to process personal data for scientific and other purposes.

Pseudonymization can significantly decrease the risks that are associated with data processing while maintaining the usefulness of the data. For this reason, the GDPR encourages controllers to pseudonymize the data they collect. Although pseudonymous data is not completely exempt from the regulation, the GDPR relaxes several requirements on controllers who use the technology.

What do you mean by pseudonymous data under GDPR?

As per Article 4(5) of the GDPR pseudonymization data is “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information”, provided that such “additional information” is “kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” 

In a nutshell, it is a privacy-enhancing technology where identifying data is separated and securely processed to directly identify data to ensure non-attribution.

With the help of Recital 28 of the GDPR we can understand it in a more clear way; 

• Pseudonymization – it can reduce risks to the data subjects.
• Pseudonymization is not intended to preclude any other measures of data protection.
• Pseudonymization alone is not a sufficient technique to free data from the purview of regulation.

Whereas indeed, Recital 26 of the GDPR states:

• Personal data which have undergone pseudonymization, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person” (e.g., names, phone numbers, government-issued ID numbers, etc.).

To understand the data protection regulation compliance we need to understand the differences between these technical terms;

Anonymization V. De-identification V. Redaction V. Pseudonymization V. Tokenization

What is anonymization of data?

Data anonymization is the processing of data to prevent an individual’s identity from being retrieved. Now it would be very difficult or nearly impossible to connect the data to an individual in order to meet the requirements for data anonymization. There is no standard technique or procedure to comply with the anonymization under GDPR. 

True data anonymization is irreversible and makes it difficult to identify a natural person whether it is directly or indirectly. 

Legal basis of anonymization

As per Article 6 of the GDPR processing personal data for the purpose to anonymize the data must have a legal basis. “Further Processing” is also known as the Anonymization process. And the new processing must be in compliance with the principle of purpose limitation.

In a practical way the legal basis of the data controller or data processor contract or legitimate interest will be considered if the principle of collection, purpose, retention have complied. 

Data anonymization used for GDPR compliance

If the process of anonymization has been done correctly, then data will no longer be linked to an identified or identifiable natural person and it can be considered as personal data. The GDPR does not comply with anonymous data and because of it, one can use this kind of data freely.

The process of anonymization can be used to improve any organization’s protection compliance in two main ways. 

1. Privacy by design – strategic work to improve the protection of processed data
2. Data Minimisation strategy – a place where data can be anonymized and used with no risk of harming the data subjects. 

Example of anonymization;

Anonymization is a preferred method for structured as well as unstructured data and it can be trickier to do so.

Below is the sample Email that has been properly anonymized;

“Hello [NAME],

I hope you are doing well and safe!

I have booked at [TIME] the day after tomorrow, but [TIME] would work. I will share the updated invite for that time with the day and date. Kindly revert if that does not work for you.

Thank You,

[NAME]”

What is de-identification of data?

De-identification of data means the procedure which is used to prevent personal identifiers whether it is both direct and indirect from being connected with information. And it also requires the removal of individual and semi-identifiers, but it is possible to link the original data back to the de-identified result by a process.

In practice, de-identification is often used to describe the process of removing direct identifiers (Address, Full Name, etc.) and sometimes semi-identifiers (Gender, Age, etc.), but less frequently. With a guarantee that the data cannot be linked back to an individual other than anonymity, although it is sometimes used as a term that includes anonymity as well as a pseudonym. 

Example of de-identification of data;

Let us take the above-anonymized mail and change it to;

“Hello [NAME_1],

I hope you are doing well and safe!

I have booked at [TIME_1] day after tomorrow, but [TIME_2] would work. I will share the updated invite for that time with the day and date. Kindly revert if that does not work for you.

Thank You,

[NAME_2]”

And now let’s assume an organization decided to encrypt the direct and potential identifiers associated with the NAME_1, NAME_2, TIME_1, and TIME_2, and now let us store them in a separate way in case they ever needed to re-identify the email. So now the email will not be counted as anonymized because the identifiers can be linked to that.

But that does not mean that confidentiality has been compromised. For example, if analytics and machine learning teams are using de-identified email, they are really providing a great service to their users and their company. It is possible to gain insights while mitigating user privacy risks and mitigating the security risk of sending personal data to another part of an organization where it may be inaccessible.

What is redaction?

To add to the confusion between anonymity and erasure of identity, the term reduction is often used incorrectly. The reduction plays an interesting role in relation to de-identification. The reduction does not mean the complete removal of personal data, especially the selection of sensitive information. An example is the removal of credit card numbers from customer service conversations. Emails, call transcripts or chat logs are leaked with questions about how to use the most harmless vacuum cleaner.

Examples of pseudonymization data

In simple language, pseudonymization refers to a data management and de-identification procedure by which replacement of some data (such as a name, address, etc.) with fake data is often depicted as being linked to the original data.  This has left a huge hole to fill in a word that means replacing information with fake data that is not linked to the original data.

A pseudonymization has many advantages without any additional association with identity. One, the data is more suitable for machine learning training and inference.

In the below example the PII has been replaced with fake data in bold;

“Hello, Arjun,

I hope you are doing well and safe!

I have booked an appointment for 11 am the day after tomorrow, but 5 pm would work. I will share the updated invite for that time with the day and date. Kindly revert if that does not work for you.

Thank You,

Dilip”

In addition, any personal or semi-identifiable information that is accidentally left behind will become like a needle in a haystack to separate from duplicate data. ); For example, suppose “Dilip” accidentally goes missing when he is not identified in the above email.

“Hello [NAME_1],

I hope you are doing well and safe!

I have booked at [TIME_1] day after tomorrow, but [TIME_2] would work. I will share the updated invite for that time with the day and date. Kindly revert if that does not work for you.

Thank You,

Dilip”

In private AI, we spent a lot of time learning how to do an automated pseudonymization correctly. Here’s a clue: Encyclopaedia improvements don’t work. We need to build our own transformer model structure (a type of machine learning model designed for common language processing) to generate realistic words and numbers in a contextual, decisive manner. It is important to carefully select training data to create realistic alternatives, including other ideas in the trade. As a type of pseudonymization, Tokenization is also referred to.

Blockchains are considered as personal data

Blockchain is a database in which data is stored and distributed to a large number of computers and in which all entries, called “transactions”, are visible to all users. It is a technology that enables the protection of data against manipulation. And in this sense, it increases the security of data. However, simply put, this security is achieved by making the records saved in the blockchain transparent and immutable; and this, in turn, is achieved through the redundant and distributed storage of each record at multiple nodes throughout a large network. If we consider the necessities of the EU General Data Protection Regulation (GDPR), the very core of the security of the blockchain is therefore in conflict with the privacy required for the protection of personal data. As a result, the development of a blockchain project desires to include cautious examination of what kind of data is being stored, and whether that data could be considered to be personal data.

If a blockchain processes personal data, the GDPR will apply. In order to find out if it does, the data has to be reviewed under the terms of the GDPR. For the data to be personal, a natural person has to be directly or indirectly identified. If found that the data does not, or does not any longer, identify a natural person, the GDPR does not apply since such data is anonymous. Since blockchain encrypts all entered data firstly we need to examine all data and where the line is drawn between anonymous data and indirect personal data. Secondly, two categories of data in the blockchain will be examined in which personal data may occur. The identifications of the blockchain, i.e. in the private and public key or in the public address, and the additional data, i.e. the transaction data. 

According to the GDPR, personal data includes all information that refers to an identified or identifiable natural person. An identified person is relatively simple:  name, or an email address that includes an individual name; a fingerprint, perhaps a photo of the face, and so on – these are immediate identifiers. The direct identifiability is set aside, and data that third parties have becomes relevant. To understand what kind of third-party data falls within this scope, the question is whether the identity can be determined with an equivalent amount of effort with the means available to the processing party or any other person. Factors for this include the cost of identification, the time required for available technologies, and technological development, which is always changing. 

This could, for example, be the IP address. Are IP addresses personal data? The European Court of Justice has now answered this question, maintaining that attribution is possible for an ISP, given that, at least for a short period of time, there is the possibility of attributing an IP address to a customer via that customer account. 

There are so many individuals who, for instance, broadcast their public key on their Facebook profile and ask for contributions in Bitcoin. In this case, of course, there is directly a connection to the Facebook profile. And specified that we will not be able to check every single public key, and we cannot eliminate the possibility that one of the account holders has made theirs public at some stage in the past. We need to assume that all public keys represent personal data.

What is the tokenization of data?

The last word often used to identify the type of token that replaces some data is known as tokenization. 

By replacing personal data with an incidental token. A link between the actual data and the token is maintained (E.g – for payment processing on websites). The tokens may be generated by a one-way operation or maybe entirely random numbers. Various types of tokenization can also be varying if they rely on encryption. Let us take an example to store only the decryption key instead of the link between each piece of personal data and their restoration.

Tokenization of the direct and quasi-identifiable information in our previous email example;

“Hello 342456D 852BC11A3C6532JF0T9S888C9LAA,

I hope you are doing well and safe!

I have booked at 1122E05147D0342FC087KKBDECCA544F9 day after tomorrow, but J8J9988D2321D4B8007DF24547BB1A96C would that would work. I will share the updated invite for that time with the day and date. Kindly revert if that does not work for you.

Thank You,

DSD45FAJKLJLJ76897938BJHJSDKHKUYWOO76876DD

Although tokenization is very useful for payment processing, it is unlikely to be a winner for structured data security, as there is no relevant information regarding it, compared to non-linkage pseudonymization.

In a nutshell, although direct and quasi-identifiers are removed one way or another by anonymity, de-identification, editing, pseudonymization, and tokenization, they are all very effective in retaining the relevant information of the original data.

European Union Agency For Cybersecurity (ENISA) recommendations for pseudonymization

The European Union Agency for Cybersecurity (ENISA) has published a report on pseudonymization techniques and best practices, which discovers the basic ideas of pseudonymization, as well as technical clarifications that can support implementation in practice.

The report discusses, in particular, the parameters that may affect the choice of pseudonymization techniques in practice, such as data protection, utility, scalability, and recovery. 

The ENISA report states about pseudonymization techniques:

1. Under a single identifier, the pseudonymization counter is the simplest pseudonymization function as the identifiers are substituted by a number chosen by a monotonic counter. And in terms of data protection, the counter provides for pseudonyms with no connection to the initial identifiers. 
2. Secondly, Random Number Generator (RNG) is a mechanism that produces values in a set that have an equal probability of being selected from the total population of possibilities and, hence, are unpredictable. This approach is similar to the counter with the difference that a random number is assigned to the identifier.
3. Thirdly, a cryptographic hash function takes input strings of arbitrary length and maps them to fixed-length outputs. It satisfies the following properties: 

∙ One-way: it is computationally infeasible to find any input that maps to any pre-specified output. 

∙ Collision free: it is computationally infeasible to find any two distinct inputs that map to the same output.

It also builds on specific use cases for the pseudonymization of certain types of identifiers (for example, IP addresses, email addresses, and complex data sets).

The report determines that the field of data pseudonymization is a challenging one in complex information infrastructure. This largely depends on matters of context, the entities involved, data types, background data, and implementation details.

Furthermore, there is no single, easy solution to pseudonymization that works for all methods in all possible scenarios. The report states that it is necessary to implement a robust pseudonymization process to reduce the risk of discrimination or re-identification attacks while upholding the degree of utility required to process pseudonymized data.

The report makes a series of recommendations, set out below:

1. Data controllers and processors should carefully consider the implementation of pseudonymization following a risk-based approach, taking into account the purpose and overall context of the personal data processing, as well as the utility and scalability levels they wish to achieve.
2. Producers of products, services, and applications should provide adequate data to controllers and processors about their use of pseudonymization methods and the security and data protection levels that these provide.
3. Regulators (e.g. data protection authorities and the European Data Protection Board) should provide practical guidance to data controllers and processors about the assessment of risk while promoting best practices in the field of pseudonymization.
4. The European Commission and the relevant EU institutions should provide support for defining and disseminating the state-of-the-art pseudonymization, in cooperation with the research community and industry in the field.
5. The research community should work on extending the current pseudonymization techniques to more advanced solutions which efficiently address special challenges arising in the big data era. The European Commission and the relevant EU institutions should support and propagate these efforts.

Benefits of pseudonymization

Case-1 : removes sensitive data

Pseudonymization enhances privacy by removing the identity of sensitive information. It removes or masks direct identifiers such as full names, contact information, credit card numbers, or social security numbers (SSN). As a result, Pseudonymization can help to reduce the risk of data loss, data theft, and data breaches. 

Regardless of whether hackers have access to specific user credentials or malicious aid have legal access, under pseudonymization they cannot obtain ‘real’ data. Whereas Data controllers can use this technology to identify specific data from securely and directly processed data.

Case-2 : empowers data-driven business

Pseudonymization helps to protect the rights of individuals, and also allows the use of data in a legal way. Already small and big companies using data is an important part of doing business. Although GDPR requires data controllers to collect data only for “specific, explicit and legitimate purposes” it provides data controllers that allow greater flexibility to process personal data for a different purpose. For this, it was first collected.

Let’s take data masking, for example, which is considered a pseudonymization that replaces sensitive data with hypothetical but realistic values. We can tell you that a man named Dilip Vishwakarma is 25 years old and a record shows his Social Security number (SSN) is 245-19-9876. After the data was hidden, Dilip Vishwakarma could be 46-year-old Premchand Parmar and his SSN 111-24-7687. Masked data maintains reference integrity and operational accuracy to securely process personal data for historical, statistical, and scientific purposes. And this is the main reason why pseudonymization contributes to the processing of personal data rather than the actual collection purposes.

Case-3 : method of data minimization

Last but not least, pseudonymization permits data controllers to practise “data minimization”, an additional concept introduced by GDPR that limits the use of data required for a specific purpose. 

For example, an insurance institution gathers personal information for the issuance of a policy. Further, the institution needs to evaluate this data to enhance policy prices. According to the data minimization principle, the insurance institution cannot do so because the personal data collected for one purpose (e.g. policy issuance) cannot be used for a new purpose (e.g. generate a database for the price investigation), and if the data is pseudonymized, for example, by masking the company for price analysis. The database can be used because GDPR’s Data Protection pseudonymization dictates the protection of personal data.

Implementation of pseudonymization on SME’s

Small and Medium Enterprises (SMEs) are defined as any enterprise which employs fewer than 250 persons, and which have an annual turnover not exceeding €50 million. 9 out of every 10 enterprises in the EU is an SME and they are understood to generate two out of every three jobs. Given this, it is a policy objective of the European Commission to promote entrepreneurship and improve the business environment for SMEs.

SMEs are explicitly mentioned in the text of the GDPR – Recital 13 indicates that one motivation for the Regulation was to provide “legal certainty and transparency for economic operators, including micro, smalls and medium-sized enterprises”.

Recital 132 of the GDPR states that “Awareness-raising activities by supervisory authorities addressed to the public should include specific measures directed at controllers and processors, including micro, small and medium-sized enterprises”. The regulation also provides some specific exemptions to SMEs – for example, reduced requirements around records of processing activities for non-regular processing (Article 30).

Privacy officers and IT professionals are well versed with the benefits of data pseudonymization and data anonymization. So business owners, non-profit organizations, SMEs, or big enterprises are all subject to the GDPR. Therefore all are responsible for the protection of personal data and exposed to potential fines and reputation damages. 

The GDPR imposes two main kinds of fines under its regulation:

As per Article 83(4) penalties up to €10 million, or in the case of an undertaking or 2% of the organization’s global turnover of the preceding financial year whichever is higher. These fines are generally issued for violations connected with record-keeping, data security, data protection impact assessments, data protection by design and default, and data processing agreements.

As per Article 83(5), the framework of the fine could be up to €20 million euros or up to 4 % of their total global turnover of the preceding financial year whichever is higher. The above fines were issued for violations relating to data protection principles, the legal basis for processing, information to data subjects, the prohibition of processing sensitive data, denial of data subjects’ rights, and data transfers to non-EU countries.

According to Article 83, GDPR, each individual fine should be effective, proportionate, and dissuasive, taking into account:

• The nature, gravity, and duration of the violation;
• The intentional or negligent character of the infringement;
• Actions taken by the data controller or data processor to mitigate the damage suffered by data subjects;
• The degree of responsibility of the controller or processor (related to technical and organizational measures);
• The previous violations by the data controller or data processor;
• Cooperation with the supervisory authority;
• Affected categories of personal data;
• How did the supervisory authority learn about the violation;
• Where measures previously ordered against the controller or processor regarding the same subject;
• Compliance with approved codes of conduct or approved certification mechanisms;
  • Any other factor applicable to the circumstances of the case.

Hence it is very important to understand that the benefit of implementing such techniques will overcome the implementation cost and contribute to the education of everyone handling and processing personal data. 

GDPR creates an incentive for controllers to pseudonymize data

The GDPR determines the power of pseudonymization which helps to protect the rights of individuals and also permits the use of data in legitimate interest.

Recital 29 highlights the GDPR’s mission “to encourage pseudonymization within one controller and to make applicable pseudonymization when processing personal data by the same data controller and that’s processing personal data for other purposes, for a longer period by ensuring appropriate safeguards so that unauthorized people find it difficult to identify the original or personal data refers to.

These incentives appear in five different sections of the regulation. 

Pseudonymization is a fundamental component of “data protection by design”

The GDPR was the first to introduce the concept of “data protection by design” informal design in the legislation of the EU. At the national level, data security by design means that privacy should be an element of product development, not something to be dealt with later. Therefore, Article 25 (1) of the GDPR regulators must apply the appropriate protections “during the determination and processing of processing equipment.” One way controllers can do this is by pseudonymization of personal data.

Controllers can use pseudonymization to avail of the GDPR’s data security obligations

According to Article 32, controllers must implement risk-based allowance to protect data security. Measures like “pseudonymization and encryption of personal data” as per the [Article 32 (1) (a)] of GDPR. The use of pseudonymization under this provision has serious implications. Data controllers need to notify the Data Protection Authority in the event of a security event that provides for a “threat to the rights and freedoms of natural persons” as per the [Article 33 (1)] of GDPR. In addition, they must at any time inform the persons concerned that the risk is “high” as per [Article 34 (1)] of GDPR. Because pseudonymization reduces the risk of harming data subjects, controllers who use it can avoid reporting security incidents.

Controllers can put a restriction on data subjects with access, rectification, and erasure or data portability if they can previously identify a data subject

A controller can use pseudonymization methods that prevent the data subject from being rediscovered or re-identifiable. For instance, if the controller deletes the detected data directly without keeping it separate, the data may not be retrieved without collecting additional information. Article 11 recognizes this situation and provides exemptions from the right to access, rectification, correction, eraser, and data flexibility rights set forth in Articles 15 to 20. 

The exception applies if “the controller can be proven not to be in a position to identify the data subject” and, if possible, it provides information on these exercises for data topics. GDPR does not need the Controller to keep additional information “for the sole purpose of complying with this Regulation”. If additional information is provided to the Data Subject Controller, Articles 15 to 20 should be allowed to exercise its rights if it allows it to be identified in the data set.

Pseudonymization is an extensive shield for processing personal data for statistical, historical, and scientific purposes

GDPR further implements an exception to the objective limitation principle of data processing for statistical, historical, and scientific research. Nonetheless, Article 89 (1) of the GDPR stipulates that controllers who process data for these purposes must implement “appropriate protections under this provision” for the rights and liberties of the data subject “. In particular, controllers must adopt” technical and organizational measures “to adhere to the principle of data minimization. The only example provided is the use of pseudonymization for controllers, so that processing “does not allow or no longer concede the identification of data subjects.”

Pseudonymization simplifies processing personal data apart from original collection purposes

The GDPR requires controllers to gather data only for “specific, explicit and legitimate purposes.” Article 5 of the GDPR provides an exception to the Objective Limit principle, however, is that data is further processed in a way that is consistent with the initial objectives of the collection.

Even if processing depends on a number of factors mentioned in Article 6 (4) of the GDPR, including the link between the processing activities, the collection context, the nature of the data, and the consequences for the data subject. An additional factor to consider is “the existence of reasonable security measures, which may include encryption or pseudonymization” [Article 6 (4) (e)]. Hence, the GDPR allows controllers who pseudonymized personal data to an extent to process the data for a separate purpose than the one for which it was collected.

Conclusion

Pseudonymization is an established and accepted de-identification process that has gained additional attention following the adoption of GDPR. Where it is referenced as both a security and data protection by design mechanism. As a result, in the GDPR context, pseudonymization can motivate the relaxation to a certain degree of data controllers’ legal obligations if properly applied. GDPR Data is different from anonymous data and endorsed by the GDPR. 

Data controllers, as well as producers of products, services, and applications, should adopt data protection as a key design approach in their processes; doing so, they should reassess their possibilities of executing data minimization by applying proper data pseudonymization techniques. Regulators (e.g. Data Protection Authorities and the European Data Protection Board) should encourage the use of pseudonymization as a core data protection by design strategy by further elaborating on its role under GDPR and providing relevant guidance to controllers as well as SMEs.

References

1. https://gdpr-info.eu/
2. https://ico.org.uk/
3. https://iapp.org/resources/article/web-conference-pseudonymization-and-anonymization-under-the-gdpr/
4. https://www.dotmagazine.online/issues/security-trust-in-digital-services/data-protection-and-blockchain#:~:text=In%20the%20case%20of%20public,be%20classified%20as%20personal%20data
5. https://ec.europa.eu/regional_policy/sources/conferences/state-aid/sme/smedefinitionguide_en.pdf 
6. https://www.cnil.fr/en/blockchain-and-gdpr-solutions-responsible-use-blockchain-context-personal-data
7. https://www.jdsupra.com/legalnews/the-edata-guide-to-gdpr-anonymization-95239/#_ftnref15
8. https://dataprivacymanager.net/pseudonymization-according-to-the-gdpr/
9. https://gdprhub.eu/index.php?title=Welcome_to_GDPRhub
10. https://www.finextra.com/blogposting/16102/blockchain-versus-gdpr-and-who-should-adjust-most

---

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.