Personal Data Destruction, Anonymization, and Pseudonymisation Guideline — Phase Three: Pseudonymisation emphasizes that anonymization means permanently stripping all information from a dataset that could identify a person—either directly or indirectly. Once data is anonymized properly and irreversibly, it is no longer considered “personal data” and does not fall under PDPL. Controllers must assess the risk of re-identification, implement strong safeguards, and regularly update their methods to ensure the data remains anonymous.
Make it impossible to re-identify. Review, assess, and update controls continually.
Phase Three: Pseudonymisation
Pseudonymisation is defined as the process of transforming primary identifiers that reveal the identity of the data subject into codes that render the direct identification of the data subject infeasible without the use of additional data or information. Such additional data or information shall be maintained separately and subjected to adequate technical and administrative controls to ensure that it cannot be definitively linked to the data subject.
Pseudonymised data is considered personal data because it may be used, in one way or another, to identify a specific individual “Pseudonymisation” serves as a protective measure for personal data and is deemed an appropriate technical safeguard against the risks associated with personal data processing. However, its effectiveness in safeguarding personal data is not equivalent to that of “anonymization”. One example of Pseudonymisation is substituting one or more of the data subject’s PII elements. For instance, the name is substituted with a symbol (such as a reference number).
Pseudonymisation shall be applied whenever personal data, including personal data linked to an individual other than the data subject, is disclosed. In such instances, the personal data of the individual shall be Pseudonymised to ensure their privacy. Pseudonymisation shall also be applied when personal data is collected or processed for scientific, research, or statistical purposes without the data subject’s consent, provided that such Pseudonymisation does not compromise the purpose for which the data is being processed.
Examples of Anonymization and Pseudonymisation Techniques:
Technical measures employed to anonymize and Pseudonyms personal data vary depending on the specific data being processed and the Controller’s regulations. These measures must be regularly reviewed and updated to ensure that the data cannot be linked to a specific data subject.
Examples of Commonly Used Techniques:
A) Data Generalization: The substitution of specific attributes with more generalized values. For instance, aggregating ages into age bands (20-30, 30-40) rather than using precise age values.
B) Data Aggregation: The consolidation of individual data points into a range, group, or category, for instance, recording only the birth year instead of the full birthdate. It should ensured that the aggregated data cannot be used to infer information about specific individuals.
C) Data Encryption: The process of transforming personal data into a secure code using robust cryptographic algorithms. Cryptographic keys must be stored securely and separately from the encrypted data.
D) Data Masking: The application of data masking techniques to conceal or obscure specific data elements.
Updated Protective Measures:
C. Implement appropriate organizational, administrative, and technical measures to mitigate risks, ensuring that these measures are up-to-date and aligned with technological advancements and evolving anonymization techniques.
Continuous Effectiveness Review:
D. Evaluate the effectiveness of implemented anonymization techniques and implement requisite adjustments to ensure the sustained irreversibility of the anonymization process.
Explanation of Phase Three: Pseudonymisation
Use coded substitutes for identifiers:
Phase Three: Pseudonymisation says to replace names or identifiers with symbols or codes that cannot directly identify the individual without separate reference information
Additional data must be isolated:
Phase Three: Pseudonymisation also says that the extra data needed to re-identify a person must be stored securely and separately to prevent linkage.
Still considered personal data:
Phase Three: Pseudonymisation also says that since re-identification is possible, pseudonymised data remains within the scope of PDPL and must be protected accordingly.
Apply in research, analytics, and indirect use cases:
Phase Three: Pseudonymisation also says that you can process personal data without consent, provided it does not compromise purpose or individual rights.
Tools to apply pseudonymisation:
Phase Three: Pseudonymisation also states examples including data generalization, data aggregation, encryption, and masking. Each method serves a different use case and must be aligned with safeguards.
| Technique | Description |
|---|---|
| Data Generalization | Replace specific values with broader ones (e.g., use age bands instead of exact age). |
| Data Aggregation | Group or consolidate individual data points into non-specific categories (e.g., birth year instead of birthdate). |
| Data Encryption | Convert data into unreadable formats using cryptography—keep keys securely stored and separate. |
| Data Masking | Conceal certain parts of the data using masking rules (e.g., show only the last 4 digits of a phone number). |
