Data protection rules such as the EU's new General Data Protection Regulation (GDPR) apply to personal data. But what does personal data mean?
According to the GDPR, ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
A key element of the concept of personal data is that it can only be information about a natural person (i.e. this means that information about a legal person, such as company name, registration number or seat do not constitute personal data). The other key element is that the information shall be related to an identified or identifiable natural person. It is not necessary to identify the person, it is sufficient if the possibility is given for the identification ("identifiable").
Based on the above, the rules on the protection of personal data do not need to be applied for anonymized data. As the GDPR sets forth in its Preamble (26):
The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.
An important aspect of and expectation towards anonymisation is that the relationship between the data and the data subject can no longer be restored, that is, the natural person can no longer be identified. This may seem easy at first sight, but in practice, we face many challenges, because thanks to the evolving technology, it is often not a simple task to terminate the connection between the data and the natural person permanently.
The following guidelines may be useful in connection with anonymisation processes: Article 29 Working Party (WP29) issued an opinion on anonymisation techniques in 2014 (Opinion 05/2014 on Anonymisation Techniques). In January 2018, the Personal Data Protection Commission of Singapore also published a Guide To Basic Data Anonymization Techniques. The Anonymisation Code of Practice of UK's Data Protection Authority (ICO) may also be helpful. In the United Kingdom, a separate organization has also been set up to assist in the effective anonymization of personal data (UK Anonymisation Network).
The rules on the protection of personal data do not apply to anonymous data. On the other hand, the pseudonymised data are still in the scope of the data protection rules. The essence of the pseudonymisation is that it is one of the tools for the protection of personal data. The GDPR explicitly defines the concept of pseudonymisation and recommends that data controllers to use pseudonymisation.
According to the Preamble (28) to the Regulation:
The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations.
Based on the GDPR, ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
The Regulation recommends to the data controllers to apply pseudonymisation in connection with:
- data protection by design (Article 25),
- security of processing (Article 32);
- Codes of Conduct (Article 40).
Data controllers should use pseudonymization as a means of processing data securely in the light of the accountability principle, especially in cases where data processing is likely to result in a high risk to the rights and freedoms of the data subjects.
Therefore, it may be useful to apply the pseudonymisation for security of processing but it should be remembered that data protection rules will continue to apply to the pseudonymised data since such data remains personal data.