Step-by-Step Guide to Implementing Pseudonymisation (Following the EDPB Guidelines)
Eli Atanasov, CIPP/E, PhD
?? I help businesses and their DPOs put privacy compliance on autopilot, saving them time and money in the process.
Before we dive into the framework, a few notes.
First of, pseudonymisation is a multifunctional tool helping us comply with many GDPR provisions and principles. Here is a table from the guidelines that sums it up pretty nicely:
Second, pseudonymisation should always be considered in the context of ROPAs. It’s not something that is simply stated in some document. “We are protecting data by using pseudonymisation” is definetly not enough.
Lastly, the framework below is the result of me summarising the examples from the Annex of the Guidelines. It’s not something I came up with on my own.
That said, let’s go!
Context and Purpose of Processing
Start by understanding the purpose of processing and documenting it in your Record of Processing Activities (ROPA).
Example Context: A hospital conducts a clinical study involving patient health records to analyze treatment efficacy.
Purpose of Processing: The hospital needs to process sensitive health data while ensuring compliance with GDPR and minimizing privacy risks to participants.
What Problem is to Be Solved?
Define your goal for pseudonymisation. Are you aiming to rely on legitimate interests for processing, meet the privacy by design/default principle, or both?
Objective: Protect patient privacy by pseudonymising health records to reduce re-identification risks while enabling researchers to use the data for analysis.
Compliance Goal: Fulfill the privacy by default principle while maintaining the utility of the data.
Original Data
Describe the personal data you are starting with before applying pseudonymisation.
Example Original Data:
Pseudonymised Domain
Define who will process the pseudonymised data and in what capacity.
Example: Researchers analyzing the dataset. They will work with pseudonymised data and will not have access to the additional information required for re-identification.
Pseudonymised Data
Describe the data after pseudonymisation.
Example Pseudonymised Data:
领英推荐
Additional Information
Explain how you will implement pseudonymisation, detailing the method used.
Method: Use a lookup table to replace names with pseudonyms.
Example: Store the mapping of “Patient_001” = “John Doe” in a secure, access-controlled database.
Optionally, encrypt sensitive fields (e.g., addresses) using AES encryption.
Storage: Keep the lookup table and encryption keys in a physically and logically separate system, accessible only to authorized personnel.
Processing of Pseudonymised Data
Describe how the pseudonymised data will be used.
Example Use Case: Researchers access pseudonymised health data for statistical analysis. The pseudonyms (e.g., “Patient_001”) are sufficient for their work and do not allow them to identify specific individuals.
Pseudonymisation Process
Detail the steps taken to pseudonymise the data.
Step 1: Extract relevant data fields from the original dataset.
Step 2: Replace direct identifiers (e.g., names) with pseudonyms using a secure, randomized algorithm.
Step 3: Encrypt sensitive indirect identifiers (e.g., addresses) using cryptographic methods.
Step 4: Store the mapping of original identifiers to pseudonyms (lookup table) and encryption keys in separate secure locations.
Step 5: Provide the pseudonymised dataset to researchers for processing.
Additional Safeguards
Identify safeguards specific to this scenario to further protect the pseudonymised data.
Access Controls: Strictly limit access to the lookup table and encryption keys.
Separation of Duties: Ensure that only administrative staff can access the lookup table, while researchers handle only pseudonymised data.
Auditing: Regularly monitor and log access to both the lookup table and the pseudonymised dataset.
Minimization: Only share the minimum data necessary for the research objective.
By following this structured framework, you can effectively implement pseudonymisation in line with the EDPB’s guidance. This approach ensures that privacy risks are minimized while maintaining the utility of the data for legitimate processing purposes.