GDPR Data Management: de-identification
The key principle of GDPR is to protect one’s personal data and one way to do so is through a process called de-identification.
De-identification is already a common practice within the healthcare sector. It refers to the two-part process involving the removal of personal direct identifiers (such as names and addresses) and the use of security measures to prevent anyone from re-identifying the individual or data subject.
There isn’t a one-size-fits-all approach when it comes to de-identification and most companies are encouraged to carry out a risk assessment first. With our strong data security experts working alongside you and your team every step of the way pertaining to data management and de-identification, you can be assured that the work is done to the highest standard and in full compliance with GDPR.
Anonymised vs Pseudonymised data
When we discuss de-identification, it is necessary to mention anonymisation and pseudonymisation and the difference between them.
Anonymisation is the process of removing personal identifiers such as names and addresses and thereby making it impossible to identify the person involved (or data subject).
There are two types of identifiers – direct and indirect. Direct identifiers refer to your name, your address or a copy of your photo. Indirect identifiers include information such as your place of work (from your Linked-In profile) or a habitual trait.
Because anonymisation completely destroys direct or indirect identifiers, anonymised data do not fall under the scope and scrutiny of GDPR. However, it can also devalue the data involved as you don’t know who they are. Before you decide to anonymise any data, engage our team data experts to help you understand the approach and minimise any risks.
Pseudonymisation is different from anonymisation. Under GDPR and as stated in Article 4(3b), pseudonymisation refers to ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.’
One common example of pseudonymisation is when you enter your credit card to purchase something online, you notice that your 16-digit card number has been masked to XXXX XXXX XXXX 1015 with only the last four digits visible. Other methods of pseudonymisation include encryption, tokenisation and scrambling.
Although pseudonymisation doesn’t let GDPR controllers off the hook completely, it does allow controllers to process pseudonymised data for uses beyond the purpose for which the data were originally collected, as stated in Article 6(4)(e).
There are advantages and disadvantages between anonymisation and pseudonymisation so before you make the decision, talk to our data security experts and let us work with you to get the best approach.
Understanding data management
Data management, de-identification, anonymisation and pseudonymisation are complicated subjects that are best assisted by a team of data security experts who understand risk assessments and the complexity of GDPR. If you require help in any of the areas above, contact the data experts at Blackhawk. We look forward to working with you.
Take the first step – talk to Blackhawk Intelligence today about how we can help you with your data management pertaining to de-identification, anonymisation and pseudonymisation.