What is pseudonymisation? The EDPB clarifies the use of pseudonymisation for GDPR compliance
In the digital era, where information is an invaluable asset, privacy has become an unavoidable priority. The General Data Protection Regulation (GDPR) was introduced to establish a framework for protecting personal data, but compliance can be complex.
In this article, we discuss an essential tool that helps navigate the GDPR with confidence: pseudonymisation.
The term “pseudonymisation” under the GDPR
Pseudonymisation is defined in Article 4(5) of the GDPR as the processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Essentially, pseudonymisation involves modifying personal data so that individuals cannot be directly identified without the use of separately stored and secured additional information. The document Guidelines 01/2025 on Pseudonymisation, adopted on 16 January 2025, aims to clarify the use and benefits of pseudonymisation for controllers and processors.
The EDPB highlights that pseudonymisation is not a magical solution for GDPR compliance but rather a tool within a broader set of measures. The document emphasises that pseudonymisation can reduce risks for data subjects by preventing the attribution of personal data to individuals during processing and in cases of unauthorised access or use.
To achieve effective pseudonymisation, data controllers must follow three key actions:
- Modify or transform the data: this involves altering the original data in such a way that it cannot be directly attributed to an individual.
- Keep additional information separate: the data required to link pseudonymised data to an individual must be stored separately and protected by technical and organisational measures.
- Implement technical and organisational measures: robust measures must be put in place to prevent the unauthorised attribution of personal data to an identified or identifiable natural person.
Difference between pseudonymisation and anonymisation
It is crucial to understand the distinction between pseudonymisation and anonymisation, as they are often confused. Pseudonymisation, as previously mentioned, does not render data anonymous. Pseudonymised data remains personal data because there is still a possibility of identifying the individual through additional information.
Anonymisation, on the other hand, is an irreversible process that completely removes the possibility of identifying the individual. Anonymised data is no longer subject to GDPR regulations as it is no longer considered personal data.
The EDPB emphasises that pseudonymised data, which could be attributed to an individual using additional information, should still be considered information about an identifiable person and, therefore, personal data. This remains true even if the pseudonymised data and the additional information are held by different parties.
Examples of pseudonymisation in practice
To better understand how pseudonymisation works in practice, here are some examples:
- Pseudonymisation in medical research: a hospital wants to share patient data for a study on the effectiveness of a new treatment. It pseudonymises the data by replacing names and identification numbers with unique codes while keeping a secure key that allows re-identification if necessary to provide relevant information to patients.
- Internal data analysis: a company wants to analyse employee data to improve working conditions. It pseudonymises the data by replacing names with codes so that analysts cannot directly identify employees, although the HR department can do so if specific measures need to be taken.
- Protecting victims of gender-based violence: victims of gender-based violence may request the pseudonymisation of their identifying data to ensure their safety.
Pseudonymisation is a valuable tool for protecting privacy when processing personal data. However, it is essential to understand that it is not a foolproof solution and does not replace other security measures and GDPR compliance requirements. It must be implemented thoughtfully, assessing risks and applying appropriate technical and organisational measures to ensure the security of additional information and the protection of data subjects’ rights.
At Letslaw we are experts in digital law and can provide you with the legal advice you need.
