What is pseudonymisation?

What is pseudonymisation - Viacryp

The introduction of the General Data Protection Regulation (GDPR) has led to privacy becoming a hot topic. Organisations have been working on taking appropriate measures and, in that context, the term ‘pseudonymisation’ is popping up more and more. But what exactly is pseudonymisation?

I personally always use the following explanation. Personal data can be split into two parts:

  • Information about who someone is
  • Information about what someone does

The ‘who’ is how you identify someone, such as by their telephone number, date of birth or bank account number. The ‘what’ is that individual’s behaviour, for example where he has been, who he has called, what he has bought or what he likes. To carry out analyses, you generally only need to know what people do, not who they are. When it comes to pseudonymisation, the ‘who’ part gets replaced by a unique code. It is important that the information about who someone is always gets replaced by the same code. This allows you to combine information about the same person from different sources, for example:

  • How many people visited the FAQ on our website and then contacted our customer service department?
  • Of the cars that drove into the city, which ones also parked there?
  • Has anyone taking our medication also watched the instructional videos on our website?

The way in which the ‘who’ part is replaced by a code can be either reversible or irreversible. A reversible process may be necessary in certain cases, but an irreversible process offers the best privacy protection, of course.

The safest way to pseudonymise is to not do part of the process yourself. This prevents unauthorised individuals (from both within and outside your organisation) from being able to reverse the pseudonymisation process and thus retrieve privacy-sensitive information.

Pseudonymisation in conformity with the GDPR

The drafters of the GDPR paid special attention to the concept of pseudonymisation and gave it a clear place in the regulation. The term is literally mentioned no fewer than 15 times in the legislation. The GDPR defines pseudonymisation as follows:

“…the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”

This GDPR definition obviously takes precedence when assessing whether pseudonymisation is taking place properly. The GDPR does not mention replacing the ‘who’ part with a unique code, but states that personal data, after pseudonymisation, can no longer be linked to the individual to whom the data relate. This can potentially be done using supplemental data, but additional requirements have been established for this:

  • The supplemental data which link the personal data to the data subject must be stored separately.
  • Technical and organisational measures must ensure that the data are not linked.

In our blog ‘Pseudonymisation: do it yourself or outsource it?’, we explain precisely what these additional requirements mean.

Because pseudonymisation is the processing of personal data, it is, of course, subject to all the requirements of the law with regard to processing. This means that data processing must always be kept to a minimum—in other words, limited to what is necessary for the purpose for which the data are processed. Additionally, there must, of course, be legal grounds for the processing of the data. Provided these requirements are met, pseudonymisation has taken place in accordance with the GDPR.

Read also:

Adam Knoop

About us - Adam Knoop | Viacryp

As founder of the data company Hot ITem, Adam has been intensively involved in big data for the past 20 years. More and more organisations now work with data and use facts to gain their insights. For a number of years, Adam was involved in projects aimed at obtaining better management information—projects in which privacy was a hot topic. The importance of the careful handling of privacy has grown greatly alongside the increasing use of data; Adam first encountered pseudonymisation as a consultant to the Ministry of Health, Welfare and Sport, where large quantities of healthcare data are stored for analysis purposes. Adam is convinced of the importance of innovative solutions which make it possible to carry out useful analyses while respecting the privacy of individuals. As the director of Viacryp, he is proud that he is contributing to the solution for this important issue.