Pseudonymisation

What is Pseudonymisation

Pseudonymisation is generally associated with the European Union’s General Data Protection Regulation (GDPR), which calls for pseudonymisation to protect personally identifiable information and is the only technology specifically mentioned within the Act under “Article 4, Definitions”:
‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Pseudonymisation takes easily identified fields within a database or file and replaces them with artificial identifiers, or pseudonyms. For example, a car make is replaced with a unique number. The purpose is to render the information unrecognisable and therefore reduce concerns with data privacy.
Pseudonymised Data is not the same as Anonymised Data. When data has been pseudonymised it still retains a level of detail allowing tracking back of the data to its original form. Anonymised data is completely changed and thus cannot be reconstructed back to its original state.
Sensitive Pseudonymised Data should still be encrypted with a strong, industry recognised encryption program.

Where to use Pseudonymisation

The choice of which data is to be pseudonymised is sometimes company specific, but should always be Personally Identifiable Information (PII). Frequently such data is simply name, address, date of birth etc but could also include Social security or national insurance numbers.

The techniques used for Pseudonymisation depend on what you want to achieve and our solutions for Data at Rest Encryption, Tokenisation or Masking cover the most popular and industry recognised solutions to protect data. In our opinion, there is no point in deploying a simple form of data scrambling if the value of the data is so high that if there were a breach you would face a fine because the protection taken on the data was not in proportion to the data significance.