The European Union Agency for Cybersecurity (ENISA) released its report on pseudonymisation for personal data protection, providing a technical analysis of cybersecurity measures in personal data protection and privacy.
This new work builds on the Agency’s past work on pseudonymisation techniques and best practices by exploring further, advanced techniques and specific use cases in such areas as healthcare and information sharing in cybersecurity.
While not a new process, pseudonymisation came into the spotlight in 2018 with the enforcement of GDPR, which references it as a security and data protection by design mechanism.
Although the deployment and proper application of data pseudonymisation techniques have become highly debated, the overall context of the processing is considered as an important aspect for implementation. Therefore, it should be combined with a thorough security and data protection risk assessment.
ENISA Executive Director Juhan Lepassaar said: “Cybersecurity techniques are an integral part to meet data protection obligations, and allow users to enjoy fully their fundamental rights to personal data protection and privacy.”
No one-size-fits-all pseudonymisation technique
As there is no one-size-fits-all pseudonymisation technique, a high level of competence is needed to reduce threats and maintain efficiency in processing such data across different scenarios.
The report aims to support data controllers and processors in implementing the technique by providing possible techniques and use cases that could fit different scenarios.
The report underlines the need to take steps that include the following:
- Each case of personal data processing needs to be analysed to determine the most suitable technical option
- An in-depth look into the context of personal data processing before data pseudonymisation is applied
- Continuous analysis of state-of-the-art in the field of data pseudonymisation, as new research and business models break new ground
- Developing advanced scenarios for more complex cases, for example when the risks of personal data processing are deemed to be high