"My ambition for the Journal of Data Protection & Privacy is for it to further develop the foundations, tools and methodologies for Privacy by Design, and to help getting them applied in practice."
Comparing the benefits of pseudonymisation and anonymisation under the GDPR
Click the button below to download the full text of the article.
Abstract: Many organisations are trying to obtain more value from their data to improve their products and services, offer new ones and optimise their own internal operations. For example, more chief data officers, or similar roles, are being created to drive such data-enabled transitions. With the General Data Protection Regulation (GDPR) in place, these organisations need to determine the lawful basis for such activities. De-identification techniques, such as pseudonymisation and anonymisation, can play an important role in facilitating such secondary uses and disclosures of data. In regard to de-identification, the GDPR introduces nuances that have not previously been seen, recognising the existence of different levels of de-identification and explicitly adding references to pseudonymisation as an intermediate form of de-identification. This paper explores the nuances introduced by the GDPR, compares the benefits of the different levels of de-identification found in the regulation, and provides practical guidance for using de-identification as a tool for addressing different GDPR compliance obligations.
Keywords: anonymisation; pseudonymisation; de-identification; masking; secondary uses
Mike Hintze is a partner at Hintze Law PLLC. As a recognised leader in the field, he advises companies, industry associations and other organisations on global privacy and data protection law, policy and strategy. He was previously Chief Privacy Counsel at Microsoft, where for over 18 years he counselled on data protection compliance globally and helped lead the company’s strategic initiatives on privacy differentiation and public policy. Mike also teaches privacy law at the University of Washington School of Law, serves as an adviser to the American Law Institute’s project on Information Privacy Principles and has served on multiple advisory boards for the International Association of Privacy Professionals and other organisations. Mike has testified before Congress, state legislatures and European regulators; and he is a sought-after speaker and regular writer on data protection issues. Prior to joining Microsoft, Mike was an associate with Steptoe & Johnson LLP, which he joined following a judicial clerkship with the Washington State Supreme Court. Mike is a graduate of the University of Washington and the Columbia University School of Law.
Khaled El Emam is the founder and President of Privacy Analytics, an IQVIA company. As an entrepreneur, Khaled founded or co-founded five companies involved with data management and data analytics. He has worked in technical and management positions in academic and business settings in the UK, Germany, Japan and Canada. Khaled is also a senior scientist at the Children’s Hospital of Eastern Ontario (CHEO) Research Institute and director of the multidisciplinary Electronic Health Information Laboratory (EHIL) team, conducting academic research on de-identification and re-identification risk. He is a recognised expert in statistical de-identification and re-identification risk measurement. Khaled was one of the first Privacy by Design Ambassadors recognised by the Ontario Information and Privacy Commissioner. In 2003 and 2004, Khaled was ranked as the top systems and software engineering scholar worldwide by the Journal of Systems and Software, based on his research on measurement and quality evaluation and improvement. Previously, Khaled was a senior research officer at the National Research Council of Canada. He also served as the head of the Quantitative Methods Group at the Fraunhofer Institute in Kaiserslautern, Germany. He previously held the Canada Research Chair in Electronic Health Information at the University of Ottawa and is a professor in the Faculty of Medicine (Pediatrics) at the university. He has a PhD from the Department of Electrical and Electronics Engineering, King’s College, at the University of London, UK.