Frequently Asked Questions (FAQs)
Q1: How has Pseudonymisation been redefined with the last 4 years?
A1: The definition of Pseudonymisation as now found in Article 4(5) of the GDPR was created roughly 4 years ago during the drafting of the GDPR. It requires that personal data must not be able to be attributed to a specific data subject without the use of additional information kept separately, and subject to “technical and organisational measures.”
Q2: Haven’t Pseudonyms or “Nom de Plumes” been used for hundreds of years to hide the identity of authors?
A2: This is exactly the point. The word as used in the past does not satisfy new requirements under the GDPR. As a newly defined term under the GDPR, Pseudonymisation has the ability to not only improve data security and privacy, but also to maximize the value and utility of data, all in a more secure and privacy-respectful manner.
Q3: How is Pseudonymisation treated differently under the GDPR than Encryption?
A3: The term “Encryption” is used four times in the GDPR. All four of these uses relate to keeping data secure when at rest or in transit. The term "Pseudonymisation" is used twice within the same sentences as Encryption to address keeping data secure when in use. Keeping data secure in this way cannot be done alone with Encryption, only in combination with Pseudonymisation. In addition, Pseudonymisation is used thirteen more times, for a total of fifteen times in the GDPR, due its ability to maximize the value and utility of data in a secure and privacy-respectful manner.
Q4: How is Pseudonymisation treated differently under the GDPR than other Privacy Enhancing Techniques like Anonymisation, Differential Privacy or Tokenization?.
A4: GDPR Article 40(2)(d) recommends Codes of Conduct to encourage key concepts under the GDPR. While it highlights Pseudonymisation as an area for which a Code of Conduct should be developed, it does not mention Anonymisation or any other Privacy Enhancing Technology (PET). Note that Differential Privacy, Tokenization and Synthetic Data are never mentioned in the GDPR. These approaches use static identifiers which do not defend against unauthorised re-identification via the Mosaic Effect (see www.MosiacEffect.com). No Privacy Enhancing Technology (PET) other than Pseudonymisation is explicitly named in the GDPR.
Q5: What are the benefits of newly-defined Pseudonymisation under the GDPR?.
A5: You asked for them, so they are! Click here for the benefits of GDPR-compliant Pseudonymisation.
According to GDPR Article 4(5) definitional requirements, data is Pseudonymised if it cannot be attributed to a specific data subject without the use of separately kept "additional information.” Pseudonymised data embodies the state of the art in Data Protection by Design and by Default because it requires protection of both direct and indirect identifiers (not just direct). The shortcomings of prior approaches to data protection (e.g., failed attempts at anonymisation) are highlighted by two well-known historical examples of unauthorized re-identification of individuals using AOL and Netflix data. These examples of unauthorized re-identification did not require access to separately kept “additional information” that was under the control of the data controller as is now required for GDPR compliant Pseudonymisation.View benefits of Pseudonymisation