GDPR and Pseudonymisation

Pseudonymisation is the process where identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. With regard to the security of personal identifiable information, the 'keys' linking the pseudonyms to the actual data should be secured in a separate location.

The GDPR considers pseudonymisation and encryption of personal data as one of the appropriate technical and organisational measures to ensure a level of security,   [GDPR Article 32, Paragraph (1a)].  

The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.    [GDPR Citation (26)].

To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.   [GDPR Citation (26)].

The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.   [GDPR Citation (28)]. 

In order to create incentives to apply pseudonymisation when processing personal data, measures of pseudonymisation should, whilst allowing general analysis, be possible within the same controller when that controller has taken technical and organisational measures necessary to ensure, for the processing concerned, that this Regulation is implemented, and that additional information for attributing the personal data to a specific data subject is kept separately. The controller processing the personal data should indicate the authorised persons within the same controller.   [GDPR Citation (29)].