What is Pseudonymization?
The concept of pseudonymization is one of the favoured techniques under the GDPR to minimize the amount of personal data that is held.
The GDPR defines pseudonymization as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject
without the use of additional information. It further provides that in order for the data to be pseudonymized, the data must be kept separately and subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. This means that the personal identifiers are removed from the data and stored in a separate database
, and linkage to a specific individual will not be possible without the additional information that is held separately.
Although this technique detaches the link between the data and the data subject, pseudonymous data is still considered personal data under the GDPR
because the detachment can be reversed and therefore, falls within the scope of the GDPR.
The application of pseudonymization to personal data can reduce the risks to data subjects
concerned and help controllers and processors to meet their data protection obligations. The benefits of pseudonymization of personal data for controllers under the GDPR include:
- It is used as a safeguard for processing personal data for scientific, historical and statistical purposes.
- It is an important data protection by design feature used to implement the data protection principles such as data minimization.
- Controllers can use pseudonymization to help meet the GDPR’s data security requirements.