Top Ten GDPR Principals No 6 Pseudonymization within profiling

Top Ten GDPR Principals No 6 Pseudonymization within profiling

How pseudonymization can be of benefit you and your customers

Today our article focuses on pseudonymization: what is pseudonymization and how is it different from – the more commonly  known – anonymization? How can you use pseudonymization when you perform profiling and how can you use it on your data? How can pseudonymization be of added value to both your organization and your customers

What is pseudonymization and what is profiling?

Pseudonymization uses a form of encryption to translate identifiable parts of personal data to unique artificial identifiers, so-called pseudonyms. It aims to decouple the “personal” in personal data. This makes the data ‘anonymous’ within a limited context. Outside of this context the person can still be re-identified. By using pseudonymization you are applying a security measure to the personal data you have in order to prevent linking that data to the original identity of a person.

Pseudonymous data can still be traced to the data subject. You may need external information to do so, but all pieces of the puzzle still exist, just not all in one place. With anonymized data on the other hand, the original source data is deleted and therefore inaccessible and irreducible.

Profiling according to the GDPR means “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person”.

Profiling can also be used for predicting the data subject’s behavior and can be a valuable direct or indirect marketing tool. Note that the GDPR provides that data subjects shall not to be subject to decisions based solely on automated processing (including profiling) when this processing has legal or similarly significant consequences for them. You can only carry out this type of profiling where the decision is;

  • Necessary for entry into or performance of a contract.
  • Authorized by union or member state law applicable to the controller or:
  • Based upon the data subjects explicit consent.

Additionally if your processing falls under Article 22 ensure you:

  • Provide data subjects with information about the processing
  • Provide a simple transparent way for individuals to  ask for human intervention and to challenge the decision.
  • Carry our regular checks on the systems to ensure they are working as expected

How your company or organization can apply pseudonymization to its advantage

Pseudonymous data is suitable for a great range of analytical activities, research projects and for statistical purposes. Because not all personal data is exposed, it decreases the risk of abuse of the exposed data in the case of a data breach. The GDPR sets more relaxed standards for data that is pseudonymous as compared to personal data and seems to be nudging companies and organizations to use pseudonymization as a method of securing the personal data they process. Moreover, when data is pseudonymous it is less like to “significantly affect” the data subject or produce “legal effects” for the data subject, because the data subject can be identified less easily.

If you apply profiling in your organization, pseudonomyzing the data used in the profiling will be subject to the more relaxed standards mentioned earlier. Pseudonymizing the data may provide a “suitable measure” to safeguard data subjects’ rights, freedoms and legitimate interests. Profiling may also have positive effects for your clients: based on the information your clients have provided and your profiling exercise, you may be able to offer an identifiable group of clients products aimed specifically at that group.

When applied correctly pseudonymization can offer more data processing possibilities, including profiling, than if the data were to be processed without applying pseudonymization as a security measure. You need to keep in mind, however, that it does not render the data anonymous. Pseudonymous data is still considered to be personal data and you need to treat it as such. Even if you have pseudonymized data, in case of a data leak, you may still be obliged to inform the affected data subjects.

If your company are applying these methods within your data processing activities then the Relentless comprehensive GDPR assessment service will identify any gaps and provide the remediation steps needed to ensure compliance.

Book your GDPR Comprehensive assessment now 

Sharing is caring!

shares
error: Content is protected !!