Monday, October 30, 2017

GDPR step-by-step - Part 2 - Personal, Pseudonymised and Anonymous Data

This is the second post in my new series about the GDPR (General Data Protection Regulation), in which in I will highlight relevant aspects of this new regulation, specially for businesses.

The GDPR shall apply from May 2018, so it is very important that businesses are fully prepared to the new rules. This series is an attempt to help business owners to be aware of the new rules and the specific challenges that they might present in different information systems. These posts have educational purposes, they do not substitute a consultation with a lawyer. I hope that the content can be useful to you. All highlights and comments in yellow are mine. To read the GDPR, click here.

In this Part 2, you will find:

1- What is personal data?
2- What is pseudonymized data?
3What is anonymous data?

[Part 1]



1- What is personal data?


As we saw last week, in Part 1 of this series, article 2 of the GDPR, which deals with the material scope of the new regulation, states that "This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data (...)".


The question that we should as then is
: what is personal data?

Article 4(1) of the GDPR brings this definition (which might surprise some, as also information relating to an identifiable person is considered personal data):


"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"


It is a broad definition and also contextual, as if there are technologies that in some context might identify a person only by knowing a single cultural element, for example, this cultural element, in that case, will be considered personal data and its processing will be subject to the GDPR.


Recital 26 of the GDPR helps us understand this concept:


"The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.


Again, it seems that the legal definition is contextual here, as in order to understand if the data can be identified, account should be taken on "objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments." 
For now, it seems that, in practice, all data can be considered personal data. So what can a business owner do? Let's then go to item 2, which deals with pseudonymisation.


2- What is pseudonymised data?

The GDPR also defines what is pseudonymised data. According to article 5:


"‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person"

In recital 28, the GDPR expresses the advantages of pseudonymisation:

"The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection."

When dealing with data protection by default and by design (Article 25), the GDPR states that:

"1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects."

It is also associated with data security, as article 32, dealing with security of processing, establishes that:

"1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data;"

In any case, we cannot forget what we read in recital 26, which stated that "personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person" - meaning that the GDPR is applicable to pseudonymised data.

Now we go to the last type of data for our purpose - anonymous data.

3What is anonymous data?

According to the end of recital 26, "(...) the principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes."

Therefore only in cases in which information is considered anonymous - according to the GDPR definition - the processing of this data will not be subject to the GDPR.

As we saw today, it is very important to understand the concepts of personal data, pseudonymised data and anonymous data, as it might influence the rules applicable to the processing of such data.


*
That's all for today. Do you have comments about this post? Feel free to post them below. 



Best,

Luiza Jarovsky
Lawyer and PhD Fellow Researching Data Privacy

GDPR, data protection
privacy