🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

Understand everything about pseudonymization

Home Understand everything about pseudonymization

Our articles follow our episodes d’1min to understand everything. These are short videos during which our lawyers who are experts in personal data protection offer you simple definitions of key concepts of the General Regulation on the Protection of Personal Data (GDPR) and give you concrete examples. Follow us on LinkedIn so you don't miss any news!  

Today we are addressing the notion of profiling. Make yourself comfortable, we'll explain everything to you in 5 minutes!  

 What is pseudonymization?  

Article 4 paragraph 5 of the GDPR defines pseudonymization as a processing of personal data in such a way that they can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organizational measures in order to to ensure that personal data are not attributed to an identified or identifiable natural person.  

Like l’anonymization, which we talked about last week, it is a process that limits the possibilities of identifying the person whose data is processed. Pseudonymization consists of replacing directly identifying data with non-identifying data. Unlike anonymization, pseudonymization is a reversible process and the data retains a personal character. Therefore, pseudonymized data remains subject to the GDPR.    

The objective of pseudonymization is to no longer be able to assign data to a person without additional information. To re-identify the person, data cross-referencing must be carried out. This allows the data controller to process data without the data subjects being directly identifiable.  

There are different methods of pseudonymization. According to thethe G29 Guidelines on Anonymization Techniques (2014), the most used are:  

  • The secret key cryptography system,  
  • The hash function,  
  • The key hash function with saved key,  
  • Deterministic encryption or key hashing function with key deletion,  
  • Tokenization.  

Since pseudonymization is reversible, individualization, correlation and inference remain possible. In fact, the identity of the person is linked to an attribute such as a pseudonym, so they can easily be identified.      

 How to pseudonymize data?   

The example below is a simplified pseudonymization model. It aims to explain in a clear and understandable way for the entire pseudonymization process. Each organization must determine the most appropriate technique for pseudonymizing its data. As a reminder, pseudonymization does not provide the same guarantees as anonymization.  

The most telling method is the hypothesis in which the data controller replaces data such as first and last name with a pseudonym. This is for example the case when an organization assigns a number to its employees. Here is a sample of the data available to a company's HR department:  

In order to pseudonymize the data, the data controller can proceed as follows: determine the data to be hidden and then establish an effective means of carrying out the pseudonymization operation. Thus, to assign a number, the data controller can determine a key to complicate the identification of people. On the other hand, the person who has the key can easily re-identify the people concerned. The pseudonymized dataset might look like this:  

File 1:  

File 2:

In this example, the registration number was assigned randomly. For the process to be as efficient as possible, the person accessing file 2 should not access file 1.  

 Data Comply One (formerly Mission RGPD) and pseudonymization  

In each of our episodes d’1min to understand everything we presented features of Data Comply One (formerly Mission GDPR). It is a complete and easy-to-use platform, it allows, among other things, to centralize all the essential documents and processes to meet the obligations set by the GDPR.    

Among the automated modules of the platform, Data Comply One (formerly Mission RGPD) offers an automated processing register. In each processing sheet, document the measures implemented to ensure data security, for example pseudonymization! Add as an attachment the document that details this process. In the event of an inspection, easily find the necessary documents and the links that connect them together!  

Request a demo
Other articles
on the same subject