Pseudonymisation in GPDR
Pseudonymised Information and Data Masking Explained
The GDPR strongly recommends two principles be adhered to in relation to organisations and their data: anonymisation and pseudonymisation. Although these processes sound quite similar, they are both distinctly different in terms of implication and requirements.
What is Personal Data?
Before we examine these processes, it’s perhaps worth first considering a key definition. ‘Personal data’, is unsurprisingly a core concept in the GDPR and is defined as any information relating to an identified or identifiable person (the data subject), that could be used, or potentially used to identify an individual.
This identifiable information includes the obvious categories of name, age, address etc. Though there also exists ‘special categories of personal data’, constituting a far more exhaustive and extensive list of personal data points, all of which are considered particularly sensitive in nature and are thus subject to a higher level of protection.
Pseudonymisation vs. Anonymisation
This technique takes a data set of personal information and either replaces or removes the data that can be used to identify an individual. This process removes the ability to attribute the information to a data subject, without additional information kept separately. This additional information must also be subject to technical and organisational measures to ensure that the data remains unattributable to the data subject.
Like the above process, anonymisation makes personal data no longer attributable to the data subject, though unlike pseudonymisation, this process does not allow for the process to be reversed. As a result, under the GDPR, properly anonymised data no longer can be categorised as personal data and is not subject to the same rules and regulations.
Techniques for Pseudonymisation
There are many methods that are used to pseudonymise information, of which there are those that are reversible and those which are not. The following different methods are utilised for varying purposes and each have their own strengths and weaknesses.
Scrambling is a technique that entails the mixing and obfuscation of letters. For example, the name Mathew, may once scrambled, become 'Teamhw' .
Data Blurring, perhaps best exemplified by facial blurring on video footage, renders data obsolete by approximating values and removing the ability to reverse said process.
Masking is a technique of obfuscation that allows data to only be used for certain purposes, whilst minimising information availability. This method is often employed when you are asked to verify phone or card numbers (e.g. XXX XXXX 5861).
Tokenisation substitutes sensitive data with a non-sensitive equivalent. A benign and randomly generated ‘token’ can then be used to access the original data. Baring no relation to the original data, tokens can even be single use, thus increasing their level of security. Tokens also allow organisations to minimise their access, and thus liability, to sensitive information.
Encryption is a process which transposes data into an unintelligible form, a process which can be extremely difficult to reverse, as without the correct ‘decryption key’ (which is kept separate from the encrypted data), even the most powerful computers on Earth would require thousands of years to ‘crack’ strong encryption methods.
Depending on your purposes and the nature of the data you are handling, one or more of these methods of pseudonymisation may be recommended, or even necessary under the GDPR. For instance, if you are handling any special categories of personal data or data that could be considered particularly sensitive, e.g. medical records, your requirements under the law would be different from something such as age group.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
NSA Discloses Severe Windows 10 Security Flaw
An extremely serious Windows 10 Security Flaw has been exposed by the NSA. Blog by cyber security awareness training provider Hut Six.
Top 5 WiFi Safety Tips: The Guide to Staying Secure
How safe is WiFi? Use these WiFi safety tips to help keep you secure online. Blog from cyber security awareness training provider Hut Six.
Travelex Ransomware Attack Enters Its Third Week
Travelex enters its third week of shutdown at the hands of a ransomware attack. Cyber Security blog by cyber security awareness training provider Hut Six.
Malware, Stalkerware – Beware: The Growing Market for Privacy Invading Apps
Malware is a persistent threat that can affect every aspect of our digital lives. Identifying, avoiding and removing it are essential to your information security.
Sending Simulated Phishing Attacks to Employees
How can simulated phishing attacks improve your organisation's security awareness? Blog from information security awareness training provider Hut Six.
Information Security Principles: What is the CIA Triad?
The CIA triad consists of three principles upon which professionals typically focus. Blog by Information Security awareness training provider Hut Six.
Suspicious Certificates, Transparency and HTTPS
Will Certificate Transparency Help to Rebuild Confidence in Certificate Authorities? Blog by information security training provider Hut Six Security
Information Commissioner’s Office Mining Crypto
In 2018 it was discovered thousands of websites had been hijacked by crypto-mining code, known as a "Cryptojacking" attack. Including UK Gov and ICO websites.
Spear Phishing Series Part 3: What to do if You’ve Been Phished
Spear Phishing Part 3: With 50% of receivers clicking on an attachment or link, users are 10 times more likely to make this mistake than with generic phishing emails.
Will Confirmation of Payee Reduce APP Scams?
Can the introduction of the confirmation of payee requirement reduce APP scams? Blog by cybersecurity awareness training provider Hut Six.