GDPR Top Ten #8: Pseudonymisation and its use in profiling

The word pseudonymisation occurs in some form 15 times in the General Data Protection Regulation (GDPR) that will come into force on 25 May 2018. It does not occur in the Directive, the current EU privacy legislation. Similarly, the word “profiling” does not occur in the Directive, yet occurs 23 times in the GDPR. Why this change?

The Article 29 Working Party has already mentioned the concepts of pseudonymisation and profiling in multiple opinions and publications that it has issued throughout the years. The concept of pseudonymisation and the use of profiling are not new. You have most likely heard of them. Moreover, the concept of profiling was included and restricted in the Directive, but it was referred to as “automated decision-making”.

What is pseudonymisation and what is profiling?

Pseudonymisation uses a form of encryption to translate identifiable parts of personal data to unique artificial identifiers, so-called pseudonyms. It aims to decouple the “personal” in personal data. This makes the data ‘anonymous’ within a limited context. Outside of this context the person can still be re-identified. By using pseudonymisation you are applying a security measure to the personal data you have in order to prevent linking that data to the original identity of a person.

Pseudonymised data can still be traced to the data subject. You may need external information to do so, but all pieces of the puzzle still exist, just not all in one place. With anonymised data on the other hand, the original source data is deleted and therefore inaccessible and irreproducible.

Profiling according to the GDPR means “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person”.

Profiling can also be used for predicting the data subject’s behavior and can be a valuable direct or indirect marketing tool. Note that the GDPR provides that data subjects shall not to be subject to decisions based solely on automated processing (including profiling) when this processing has legal or similarly significant consequences for them. For example, it is prohibited to deny a request for a loan solely based on the automated processing of the information about the individual, since this results in significant (and potentially legal) consequences for that person. The right to object afforded to data subjects by the GDPR explicitly mentions profiling. 

How your company or organisation can use pseudonymisation to its advantage

Pseudonymised data is suitable for a great range of analytical activities, research projects and for statistical purposes. Because not all personal data is exposed, it decreases the risk of abuse of the exposed data in the case of a data breach. The GDPR sets more relaxed standards for data that is pseudonymised as compared to personal data and seems to be nudging companies and organisations to use pseudonymisation as a method of securing the personal data they process. Moreover, when data is pseudonymised it is less like to “significantly affect” the data subject or produce “legal effects” for the data subject, because the data subject can be identified less easily.

If you apply profiling in your organisation, pseudonomysing the data used in the profiling will be subject to the more relaxed standards mentioned earlier. Pseudonymising the data may provide a “suitable measure” to safeguard data subjects’ rights, freedoms and legitimate interests. Profiling may also have positive effects for your clients: based on the information your clients have provided and your profiling exercise, you may be able to offer an identifiable group of clients products aimed specifically at that group.

When done right, application of pseudonymisation can offer more data processing possibilities, including profiling, than if the data were to be processed without applying pseudonymisation as a security measure. You need to keep in mind, however, that it does not render the data anonymous. Pseudonymised data is still considered to be personal data and you need to treat it as such. Even if you have pseudonymised data, in case of a data leak, you may still be obliged to inform the affected data subjects.