/>iOn Jan. 16, 2025 the European Data Protection Board (EDPB) published guidelines on the pseudonymization of personal data for public consultation. The Berlin Data Protection Commissioner (BlnBDI) played a leading role in drafting these guidelines (see the German-language BlnBDI press release). The consultation is ongoing, and comments can be submitted until Feb. 28, 2025, via the EDPB form.
Pseudonymization v. Anonymization
The proposed guidelines provide an overview of pseudonymization techniques and their benefits in business. Under the General Data Protection Regulation (GDPR), pseudonymization means processing personal data so that it can’t be attributed to a specific person without the use of additional information. Unlike anonymization, where data can’t be traced back to an individual even with additional information, pseudonymized data is still considered personal and subject to GDPR.
Advantages of Pseudonymization
The guidelines emphasize that the GDPR does not mandate pseudonymization. Nevertheless, using pseudonymization techniques can enhance GDPR compliance and lower data breach risks. It also supports using legitimate interests as a legal basis for data processing and ensures compatibility with original data collection purposes. Accordingly, companies can use pseudonymization to develop privacy-enhancing applications for data use and analysis that appropriately considers the rights of data subjects. This is particularly relevant in data-heavy sectors like finance, human resources, and health care.
Pseudonymization Procedures
According to the guidelines, effective pseudonymization involves three steps:
| 1. | Transform personal data by removing or replacing identifiers using methods like cryptographic algorithms (e.g., message authentication codes or encryption algorithms) or lookup tables, where pseudonyms are matched with identifiers. |
| 2. | Store separately and protect additional information, such as cryptographic keys or lookup tables, for subsequent re-identification (“pseudonymization secrets”). Information beyond the controller’s immediate control, which can reasonably be expected to be available to the controller, should be considered when assessing the effectiveness of pseudonymization. |
| 3. | Implement technical and organizational measures (TOMs) to safeguard against unauthorized re-identification. TOMs include access restrictions, decentralized storage of pseudonymization secrets, and random generation of pseudonyms. |
These measures enhance data security and reduce data breach risks. The guidelines provide practical scenarios to illustrate these procedures.
Outlook
Although not legally binding, the EDPB guidelines often influence courts and regulators. They help interpret the GDPR and guide companies in developing compliant processes for data protection. Companies should view these guidelines as important advice for designing their privacy practices, which can minimize legal risks and support arguments during official audits or legal disputes.
The guidelines assist businesses in balancing data protection with operational needs. Pseudonymization can offer competitive advantages by safeguarding customer data and boosting customer trust through privacy-focused practices.
