Insights European Union Agency for Cybersecurity (ENISA) publishes report on pseudonymisation for personal data protection

The report, “Data Pseudonymisation: Advanced Techniques and Use Cases”, is a technical analysis of cyber security measures in personal data protection and privacy. The report explores advanced pseudonymisation techniques and specific use cases in areas such as healthcare and information sharing in cyber security.

ENISA notes that while not a new process, pseudonymisation came into the spotlight in 2018 with the introduction of the GDPR, which references pseudonymisation as a security and data protection by design mechanism. Pseudonymisation is important in the context of data processing and its implementation should be combined with a thorough security and data protection risk assessment, ENISA says. There is no “one-size-fits-all” pseudonymisation technique, ENISA says. Therefore, a high level of competence is needed to reduce threats and maintain efficiency in processing pseudonymised data in different scenarios. The report aims to support data controllers and processors in implementing pseudonymisation by setting out possible techniques and how to use them in different scenarios.

The report sets out the measures that should be taken when using pseudonymisation, including:

  • analysing each case of personal data processing to determine the most suitable technical solution;
  • considering in detail the context of the processing before data pseudonymisation is applied;
  • keeping up to date with the state-of-the-art in the field of data pseudonymisation, as new research and business models emerge;
  • developing advanced pseudonymisation scenarios for more complex cases, e.g. when the risks associated with the processing are deemed to be high; and
  • continuing the debate on the broader adoption of data pseudonymisation at EU and Member State level.

To read ENISA’s summary in full and to access the report, click here.