Protecting Data or Personal Data From Unauthorized Access by Third Parties
Introduction to Anonymization and Pseudonymization
What do the Hollywood blockbuster “The Imitation Game – A Top Secret Life” and data protection have in common? Both are about protecting data or personal data from unauthorised access by third parties. They prove that data protection can also offer Hollywood-quality suspense. In the next few lines, we would like to show you how you can possibly save yourself a lot of “fuss” with the supervisory authorities.
First, we would like to briefly show you the differences between anonymised and pseudonymised data. Then we will explain why you should deal with this topic.
What is anonymised data?
In comparison to pseudonymization of data , anonymised data does not enjoy the privilege of a so-called “legal definition” in the GDPR. This means that there is no definition of anonymised data in the GDPR.
In principle, anonymised data is data that has no personal reference (surname, first name, email address, tax ID, etc.). However, the question of when such a reference to a person is to be denied has been disputed for some time and is subject to the imponderables of technological progress.
When formulating the GDPR, the legislator deliberately decided to forego a legal definition and leave this responsibility to the users, supervisory authorities and jurisdiction. In summary, the discussion revolves around which standard should apply to the “reference to a person”. Is it only a question of whether the data controller can be denied a personal connection (subjective theory) or is the theoretical possibility that someone establishes a personal connection in some way and using all possible means sufficient to affirm this (objective theories)?
According to recital 26 of the GDPR, the means and knowledge of the data controller to establish the link to a person must first be considered, but then it must also be examined whether the data controller would reasonably obtain additional knowledge that is objectively and legally available. The European legislator is trying to find a compromise here.
A data set can therefore be anonymous for one body and have a personal reference for another.
In case of doubt, you should therefore not consider the data set to be anonymous and take appropriate security measures in accordance with the requirements of the GDPR and national data protection regulations.
After taking a closer look at anonymous data, we would like to turn to its little brother, pseudonymised data.
What is pseudonymisation and pseudonymised data?
These are thankfully explained indirectly in Art. 4 No. 5 GDPR. “Pseudonymisation” is described as the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data cannot be attributed to an identified or identifiable natural person;.
Pseudonymised data is personal data whose direct personal reference has been replaced by a pseudonym (e.g. “C3PO” instead of “John Doe” or the personnel number instead of the name), but which still exists indirectly. This pseudonym can be converted into a direct personal reference using a tool.
When assessing whether a data set has been sufficiently alienated or pseudonymised, the current state of the art plays an important role, as it already does when assessing anonymous data sets. A policy with clear rules or supporting software for pseudonymisation and defined access authorisations are helpful to ensure pseudonymisation.
What is the difference between the anonymized and pseudonymized data?
Anonymised data, in contrast to merely pseudonymised data, no longer contain any reference to a person. They therefore no longer fall within the scope of the GDPR if no natural person can be identified with their help at the time of the assessment. Please note, however, that this assessment could turn out differently at a later point in time.
In contrast to anonymised data, pseudonymised data still fall within the scope of the GDPR and other data protection laws such as the BDSG and the TTDSG. With these, the reference to a person is still contained by the pseudonym and a natural person can still be identified.
Why should you deal with the issue of pseudonymised data?
Pseudonymised data is subject to data protection, but working with pseudonymised data sets is easier in terms of data protection law. For example, the pseudonymisation of data sets is considered an additional protective measure that can be taken in order to transfer data to the USA using standard contractual clauses in compliance with data protection law. Furthermore, the pseudonymisation of personal data is a technical and organisational protection measure pursuant to Article 32 (1) (a) of the GDPR, which contributes to the security of the processing of personal data.
When weighing up the legitimate interest pursuant to Art. 6 (1) 1 (f) GDPR, this is more likely to be in your favour if you only use pseudonymised data.
By pseudonymising data, you can also significantly reduce your data protection risks as well as the risks for the data subject.
With anonymised data, the benefits are even greater. As mentioned before, anonymised data frees you from the “constraints” of data protection. You do not need a legal basis for processing anonymised data. Among other things, you do not have to adhere to the principles of data minimisation and you can store anonymised data records indefinitely. If anonymised data sets are stolen from you, you usually do not have to report this to your competent data protection supervisory authority.
From a data protection point of view, you should ask yourself for every analysis and statistic that you carry out or collect in your company whether you can work with anonymised or at least pseudonymised data.
Often, such data sets are sufficient, for example, to analyse the general customer or click behaviour on your websites and to develop corresponding optimisation strategies.
Our experience also shows that anonymised and pseudonymised data sets are often completely sufficient, for example, to carry out statistical surveys on sales figures, employee car park occupancy or the most popular canteen meal.
Often, employees also develop new approaches to solving known problems when working with anonymised data sets, as they are not limited by plain names.
If you have any questions about anonymising or pseudonymising your customer data, employee data or other data, we will be happy to advise you.
How We Can Help
Individuals have the right to access their personal data, commonly referred to as subject access. But can this process be automated?How to Become A Certified Data Protection Officer?
It is required by law to appoint a data protection officer in your company. Read all you need to know for your organization.Zoom Data Privacy
Which data privacy guidelines do you actually have to observe when using the Zoom software? Is your company Zoom compliant?