The European Data Protection Supervisor (EDPS) and the Spanish supervisory authority (AEPD) have published a joint paper setting out 10 misunderstandings related to anonymisation. As the title suggests, there is a lot of confusion about when data has truly been anonymised, in particular confusion with pseudonymised data, which is still personal data within the scope of the GDPR. The 10 misunderstandings and their key points are:
1. Pseudonymisation is the same as anonymisation
This is incorrect – "pseudonymisation" means "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person". The use of "additional information" can identify the individuals, which explains why pseudonymous personal data is still personal data.
Data which is truly anonymous cannot be linked to specific individuals, so does not fall within the scope of GDPR.
2. Encryption is anonymisation
Encryption is not an anonymisation technique, but it can be a pseudonymisation tool. The key needed to decrypt the data can be "additional information", as referred to in misunderstanding number 1.
3. Anonymisation of data is always possible
It may not be possible to prevent the data from identifying individuals while retaining a useful dataset for a specific processing activity, for example when the data relates to a small number of individuals or the datasets include specific data which makes it easy to identify them.
4. Anonymisation is forever
New technical developments and the availability of additional data may make it possible to re-identify data which was previously anonymised.
5. Anonymisation always reduces the probability of re-identification of a dataset to zero
While a robust anonymisation process reduces the risk of re-identification below a certain threshold, zero risk may not be possible. The acceptable risk level depends on several factors, including the mitigation controls in place, the impact on individuals' privacy if the data is re-identified, and the motivation and capacity of an attacker to re-identify the data.
6. Anonymisation is a binary concept that cannot be measured
The risk of re-identification is rarely zero – there are are degrees of anonymisation. Any robust anonymisation process will assess the re-identification risk and continue to manage and control that risk.
7. Anonymisation can be fully automated
While automated tools can be used during the anonymisation process, expert human intervention is needed to analyse the original dataset, its intended purposes, the techniques to apply and the reidentification risk of the resulting data.
8. Anonymisation makes the data useless
A proper anonymisation process can keep the data functional for a given purpose. While personal data must not be kept in a form which permits identification of data subjects for longer than necessary for the purposes for which the personal data is processed, anonymising the data may provide a solution, if the anonymised dataset still contains useful information.
9. Following an anonymisation process that others used successfully will lead our organisation to equivalent results
Organisations need to tailor their anonymisation processes to the nature, scope, context and purposes of their data processing, as well as the likelihood and severity of the risks to the rights and freedoms of individuals if the data is re-identified.
10. There is no risk and no interest in finding out to whom this data refers to
Re-identification of data subjects could have a serious impact on their rights and freedoms. Re-identification in a seemingly harmless context may lead to inferences about the individual, for example their political beliefs or sexual orientation, which are subject to additional protection as special category data.
Anonymisation of data is a useful tool, but, as the misunderstandings outlined above illustrate, it is sometimes used incorrectly or confused with pseudonymisation. In the March 2021 issue of DWF Data Protection Insights we reported on the ICO's plans to update its guidance on anonymisation and pseudonymisation, so of course we will report further once this guidance is published. In the meantime, if you would like any advice about using anonymisation and/or pseudonymisation correctly, please contact one of our specialist data protection lawyers.