GDPR Top Ten: #8 - Pseudonymization and its use in profiling
How pseudonymization can benefit you and your customers
This blog focuses on pseudonymization: what is pseudonymization and how is it different from - the better known - anonymization? How can you use pseudonymization when you perform profiling and how can you use it on your data? How can pseudonymization be of added value to both your organization and your customers?
13 January 2017
The word pseudonymization occurs in some form 15 times in the General Data Protection Regulation (GDPR) that will come into force on 25 May 2018. It does not occur in the Directive, the current EU privacy legislation. Similarly, the word “profiling” does not occur in the Directive, yet occurs 23 times in the GDPR. Why this change?
The Article 29 Working Party has already mentioned the concepts of pseudonymization and profiling in multiple opinions and publications that it has issued throughout the years. The concept of pseudonymization and the use of profiling are not new. You have most likely heard of them. Moreover, the concept of profiling was included and restricted in the Directive, but it was referred to as “automated decision-making”.
What is pseudonymization and what is profiling?
Pseudonymization uses a form of encryption to translate identifiable parts of personal data to unique artificial identifiers, so-called pseudonyms. It aims to decouple the “personal” in personal data. This makes the data ‘anonymous’ within a limited context. Outside of this context the person can still be re-identified. By using pseudonymization you are applying a security measure to the personal data you have in order to prevent linking that data to the original identity of a person.
Pseudonymized data can still be traced to the data subject. You may need external information to do so, but all pieces of the puzzle still exist, just not all in one place. With anonymized data on the other hand, the original source data is deleted and therefore inaccessible and irreproducible.
Profiling according to the GDPR means “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person”.
Profiling can also be used for predicting the data subject’s behavior and can be a valuable direct or indirect marketing tool. Note that the GDPR provides that data subjects shall not to be subject to decisions based solely on automated processing (including profiling) when this processing has legal or similarly significant consequences for them. For example, it is prohibited to deny a request for a loan solely based on the automated processing of the information about the individual, since this results in significant (and potentially legal) consequences for that person. The right to object afforded to data subjects by the GDPR explicitly mentions profiling.
How your company or organization can use pseudonymization to its advantage
Pseudonymized data is suitable for a great range of analytical activities, research projects and for statistical purposes. Because not all personal data is exposed, it decreases the risk of abuse of the exposed data in the case of a data breach. The GDPR sets more relaxed standards for data that is pseudonymized as compared to personal data and seems to be nudging companies and organizations to use pseudonymization as a method of securing the personal data they process. Moreover, when data is pseudonymized it is less like to “significantly affect” the data subject or produce “legal effects” for the data subject, because the data subject can be identified less easily.
If you apply profiling in your organization, pseudonomyzing the data used in the profiling will be subject to the more relaxed standards mentioned earlier. Pseudonymizing the data may provide a “suitable measure” to safeguard data subjects’ rights, freedoms and legitimate interests. Profiling may also have positive effects for your clients: based on the information your clients have provided and your profiling exercise, you may be able to offer an identifiable group of clients products aimed specifically at that group.
When done right, application of pseudonymization can offer more data processing possibilities, including profiling, than if the data were to be processed without applying pseudonymization as a security measure. You need to keep in mind, however, that it does not render the data anonymous. Pseudonymized data is still considered to be personal data and you need to treat it as such. Even if you have pseudonymized data, in case of a data leak, you may still be obliged to inform the affected data subjects.
What enforcement methods are at the disposal of the DPA to ensure compliance?
A good idea formalized