2025-W04 Navigating the Pseudonymisation Guidelines

Pseudonymisation is a multifunctional tool helping us comply with many GDPR provisions and principles. Pseudonymisation should always be considered in the context of ROPAs. It’s not something that is simply stated in some document. “We are protecting data by using pseudonymisation” is definetly not enough.Lastly, the framework below is the result of me summarising the examples from the Annex of the Guidelines. It’s not something I came up with on my own.Context and Purpose of ProcessingStart by understanding the purpose of processing and documenting it in your Record of Processing Activities (ROPA).Example Context: A hospital conducts a clinical study involving patient health records to analyze treatment efficacy.Purpose of Processing: The hospital needs to process sensitive health data while ensuring compliance with GDPR and minimizing privacy risks to participants.What Problem is to Be Solved?Define your goal for pseudonymisation. Are you aiming to rely on legitimate interests for processing, meet the privacy by design/default principle, or both?Objective: Protect patient privacy by pseudonymising health records to reduce re-identification risks while enabling researchers to use the data for analysis.Compliance Goal: Fulfill the privacy by default principle while maintaining the utility of the data.Original DataDescribe the personal data you are starting with before applying pseudonymisation.Example Original Data:Patient namesAddressesDate of birthHealth conditionsTreatment historyPseudonymised DomainDefine who will process the pseudonymised data and in what capacity.Example: Researchers analyzing the dataset. They will work with pseudonymised data and will not have access to the additional information required for re-identification.Pseudonymised DataDescribe the data after pseudonymisation.Example Pseudonymised Data:Names are replaced with random identifiers (e.g., “Patient_001”).Addresses and dates of birth are generalized (e.g., replacing “01/21/1980” with “1980”).Health conditions and treatment history remain unchanged for research purposes but are no longer directly linked to individuals.Additional InformationExplain how you will implement pseudonymisation, detailing the method used.Method: Use a lookup table to replace names with pseudonyms.Example: Store the mapping of “Patient_001” = “John Doe” in a secure, access-controlled database.Optionally, encrypt sensitive fields (e.g., addresses) using AES encryption.Storage: Keep the lookup table and encryption keys in a physically and logically separate system, accessible only to authorized personnel.Processing of Pseudonymised DataDescribe how the pseudonymised data will be used.Example Use Case: Researchers access pseudonymised health data for statistical analysis. The pseudonyms (e.g., “Patient_001”) are sufficient for their work and do not allow them to identify specific individuals.Pseudonymisation ProcessDetail the steps taken to pseudonymise the data.Step 1: Extract relevant data fields from the original dataset.Step 2: Replace direct identifiers (e.g., names) with pseudoyms using a secure, randomized algorithm.Step 3: Encrypt sensitive indirect identifiers (e.g., addresses) using crptographic methods.Step 4: Store the mapping of original identifiers to pseudonyms (lookup table) and encryption keys in separate secure locations.Step 5: Provide the pseudonymised dataset to researchers for processing.Additional SafeguardsIdentify safeguards specific to this scenario to further protect the pseudonymised data.Access Controls: Strictly limit access to the lookup table and encryption keys.Separation of Duties: Ensure that only administrative staff can access the lookup table, while researchers handle only pseudonymised data.Auditing: Regularly monitor and log access to both the lookup table and the pseudonymised dataset.Minimization: Only share the minimum data necessary for the research objective.