Pseudonymization in the GDPR: Do You Need “Real” Personal Data?

The General Data Protection Regulation (GDPR) is changing our perceptions of data.

The previous post in our series on the GDPR discussed data minimization in the context of computing environments. Since each environment is designed to tease out different answers from the data, the types of data that can be held appropriately in each environment differ. Central to this discussion is the ability to justify collecting and processing a given data point. With this in mind, it’s worth investigating the relationship between data and information.

Often conflated, data and information are not entirely synonymous terms. Data is a collection of facts. Information is insight derived from a collection of facts. Fortunately for those interested in GDPR compliance and business insight, information doesn’t necessarily require personal data.

The relationship between data and information can be thought of as a sliding scale. If all the data in a set is replaced with fake values, the dataset loses nearly all of its analytical usefulness. If all the data in a set is left in place, the dataset may be vulnerable to hacking and abuse. There is another way.

Replacing real values with pseudonyms facilitates compliance by adhering to the data minimization and processing rules in the GDPR. Personal identifiers—or parts of identifiers—can be masked or encrypted. Replacing personal data superfluous to processing purposes is vital for meeting data minimization requirements. Additionally, if enough personally identifiable data is obscured so that the data can no longer be used to identify an individual, the data may be legally processed for purposes beyond which it was initially collected. While not always an appropriate data security solution, pseudonymization can be very useful when running both prescriptive and descriptive analytics, such as:

  • Purchasing trends by credit card
  • Insurance claim incidence by demographic
  • Marketing campaign click-through rate
  • Customer success predictors

As always, we recommend consulting your legal or compliance teams first, but Dataguise DgSecure can automate sensitive data masking and encryption, as well as detection and monitoring—and accelerate your journey to GDPR compliance. Just contact us to get started.