At Sirius Legal we receive questions on a regular basis concerning the anonymisation of personal data. Often, the difference between anonymisation and pseudonymisation is not entirely clear. Therefore, in this article we explain exactly how it works and when it is best to choose which option.
What is anonymization and pseudonymisation?
Although many people tend to confuse the two, there definitely is a difference between anonymising and pseudonymising personal data. When personal data are transformed in such a way that it is no longer possible in any way to link them to a specific individual, these data are anonymised.
If it is still possible to link the data to an individual with the help of additional information, then this is considered to be pseudonymised data. In this case, personal data are given a pseudonym, or a certain code, so that the individuals are not directly identifiable. However, they indirectly remain identifiable when additional information is added. This information or “key” is stored elsewhere and is protected by technical and organizational measures.
Why is this distinction relevant?
The rules of the GDPR apply to all data that allow the (direct or indirect) identification of an individual. Therefore, if as a company you process data that is linked to an individual, you must comply with the obligations of the GDPR. Pseudonymised data fall under this, because they allow individuals to be identified indirectly. As a company, you must therefore take all the protective measures imposed by the GDPR to secure pseudonymised data.
Anonymised data, on the contrary, can in principle never be linked to a specific individual. This is therefore no longer personal data within the meaning of the GDPR. As a consequence, you do not need to apply the rules of the GDPR to anonymised personal data. However, note that the current state of technology is always taken into account. For example, it is possible that certain data are sufficiently anonymised today, but not in the future when new technological developments arise that make it possible to identify the individuals.
When is it best to anonymise or pseudonymise personal data?
Sometimes you want to use the collected personal data for a purpose other than that stated beforehand, for example, to compile statistics on your customers. In that case, you have to inform those involved beforehand. When you have anonymised data, this is not necessary. Then you can use the data immediately. But note that the anonymisation of personal data is a processing activity in itself. You need to have a purpose and a legal basis for this.
Although pseudonymised data is still subject to the obligations of the GDPR, it is a useful security measure for companies to protect personal data. Among other things, it ensures that:
- You adopt a ‘privacy by design’ strategy if you pseudonymise data immediately as they enter the company,
- You minimise risks when you share personal data with other companies,
- You prevent data breaches when personal data is accessed within your company, and
- You minimise the risks of data breaches, which is part of a data minimisation strategy.
Checklist: what do you need to take into account?
When pseudonymising or anonymising personal data, keep the following points in mind.
- The processing of pseudonymised data needs to comply with the GDPR. For example, you may not keep them longer than necessary.
- Store the additional information needed to link the data back to the individuals in a secure (online) environment.
- Pseudonymisation is a security measure that you can combine with other technical and organisational measures.
- The anonymisation of personal data is a processing activity in itself, so you also need a purpose and legal basis for this. Also record this in your company’s record of processing activities.
- Delete the original data after you have anonymised them. If you keep them, it is not anonymisation but pseudonymisation.
- Always check whether it is actually possible to link the anonymised data to a specific individual. So do not only remove direct identification data, such as the name. If, for example, you are processing the size of a group of people and only one person is 1m90, then this person will still be identifiable if the name is removed. As a consequence, this will not be considered anonymous personal data.
- Take into account the nature of the data and the associated risks. Use stricter security measures and more advanced anonymisation techniques when it comes to, for example, financial or health data. If you want to make anonymised data publicly available, you must also take stricter measures than, for example, for internal statistics.