Share

4 min read

Writen by Zlatko Delev

Posted on: February 8, 2022

Pseudonymization and Anonymization of personal data

One thing that is heavily emphasised in GDPR is the importance of Privacy by Design. Mechanisms to protect personal integrity should be built into IT systems and services.

One of the core principles is data minimization. This means that all products and services should be designed so that as little personal data as possible is processed.  You can do this in the following ways:

1.Limit data processing to information that only identifies an individual indirectly

2.Limit data gathering to data that is less sensitive

3.Replace names, e.g., with pseudonyms

4.Do not routinely have personal identity numbers as fields in databases

Two terms that have been used a lot when discussing Privacy by Design and data minimization are anonymization and pseudonymization. Both anonymization and pseudonymization refer to hiding identities and personal data – but in different ways.

Pseudonymization:

In GDPR, pseudonymisation is defined as ”the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” Personal data is thus exchanged with non-identifying data, and additional information is needed to recreate the original data. Further, the additional information should be kept separately.

Pseudonymization makes the information such as personal identification numbers and personal data less accessible to unauthorized users, and is a way to comply with GDPR requirements.

Anonymization:

Anonymized data refers to data that is made anonymous in such a way that the registered can no longer be identified. You simply remove the possibilities of identifying a person, and no additional information can restore the original information. Anonymization is difficult. You completely lose the connection between data and the individual. Nevertheless, it can be a beneficial technique when the data is used for statistical or research purposes.

As you may gather, there is a clear distinction between the two concepts. Pseudonymization means that an individual can still be identified through indirect or additional information. This means that pseudonymized personal data is still in scope. Anonymization means that you cannot restore the original information, and such data is out of scope of the GDPR.

How does pseudonymization and anonymization work in practice?

Directory Replacement

Directory replacement means that you modify data about the registered, while there is still a link between the values. For example, you can use a customer number to identify an individual, and store information that directly identifies an individual, such as personal identification number, separately. In this way you pseudonymize the sensitive data. To anonymise, you should delete the separate sensitive information that directly identifies the registered.

Scrambling

In simple words, scrambling is when you mix letters, and some examples of scrambling techniques are encryption and hashing.

Masking

Masking means that some of the information is hidden using random characters or other data. Masking techniques are widely used in the payment industry and card data processing, where parts of the card number are masked, not the least to comply with PCI DSS.

Hope you find this helpful. For more information feel free to approach us anytime.

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

Appointment of a DPO in Singapore: What You Need to Know Before 30th September

If your business handles personal data in Singapore, it’s important to be aware of a key deadline

Enterprise Data Protection: Securing Large-Scale Information Assets

Cyber threats and regulatory pressures have made it necessary for businesses around the world to sa

Continuous Data Protection: Ensuring Real-Time Information Security

Continuous data protection (CDP) has emerged as a crucial strategy in safeguarding data assets agai

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us
anytime.

Contact Us
06 GDPR INFO

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy