Minimization, Pseudonymization or Anonymization?
In the context of pseudonymization versus anonymization, the terms “any information” become increasingly relevant as they allow for a broad interpretation also after adequate, relevant and strictly necessary data are collected. Article 4 (1) of the GDPR refers to personal data as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
In the context of pseudonymization versus anonymization, the terms “any information” become increasingly relevant as they allow for a broad interpretation also after adequate, relevant and strictly necessary data are collected.
Data subjects’ identity can be exposed in situations where particular type of information is associated with personal details (direct identification) or with sources of information such as medical diagnosis, political affiliation, work related details, etc. In cases where anonymization or pseudonymization are not an option, data protection authorities recommend organizations to practice data minimization. This process involves using the least amount of data possible as well as limiting the collection and processing to the purposes for which consent was given. In cases where processing is outsourced, the controller holds the responsibility for the type and the amount of data collected to accomplish a particular purpose. According to the GDPR Article 5(1)(c) the collected data should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.
Minimization should be complementary and not optional when anonymization or pseudonymization are applied. Although comparable, the two concepts employ different techniques for data protection. The difference between anonymization and pseudonymization rests on whether the data can be re-identified. It is important to mention that according to the GDPR, anonymized data is data rendered anonymous in such a way that individuals are not or no longer identifiable.
A false sense of protection is often instilled when data subjects are promised pseudonymization in exchange for their data. This process enables the personal data to become unidentifiable unless more information is made available. This is usually achieved by replacing directly identifying information. Should additional data be linked to the prior pseudonymized one, the risks are identical to the ones where data is non-pseudonymized.
The risk of data breaches can be significantly reduced when anonymization is the preferred choice to protect the privacy of the data. By removing personal direct and indirect identifiers data is truly anonymized, cannot be linked to data subjects and according to the GDPR becomes non-personal data that can be used freely.
The choice between anonymization and pseudonymization is dependent on the nature and purposes of the organizations that collect the data. While the General Data Protection Regulation does not impose their use, data protection laws specific to individual jurisdictions can apply.
In other words, while minimization is basic data hygiene and pseudonymization is a good compromise between offering a comforting sense of privacy and still be able to access it, anonymization is the answer for full data privacy protection.