Anonymization and GDPR: finding a balance between privacy and security￼
Data has become a primary resource for all companies, standing as a key asset for them.
Some people affirm that the 21st century is the century of privacy, and this opinion has a really solid base. As new forms of technology are being developed, there are new forms of collecting, storing, processing and analyzing personal data. Customers (and people in general) are more aware about the importance of privacy, and they are developing more and more concerns as technology is evolving in an unprecedented way.
Data protection regulations came in to ensure privacy, and to protect consumers and citizens all over the world. Technology has brought a lot of benefits, as well as some downsides, especially in terms of privacy, and these regulations stand as a way to protect data subjects and to ensure their most fundamental rights.
So, with all of this being said, how can companies find a balance between customers, privacy and their most fundamental interests?
Well, we must say that techniques such as anonymization can play an important role in protecting personal data, ensuring data protection principles, and enabling companies to perform their activities overall.
In this context, Fintech Companies play a really important role. As we discussed in previous posts, Financial Companies receive and process sensitive information, for different purposes, and ensuring data protection principles and complying with them can be truly challenging.
In the European Union, since the General Data Protection Regulation entered into force, companies have been using different techniques to comply with their legal obligations, as well as trying to find a balance between privacy and security. Complying with the GDPR has become a truly challenging task for companies, being of the utmost importance for them.
We at Seifti, help companies to use data protection compliance as a business advantage through simplified and automated privacy and data protection technology.
Even though the benefits from using techniques like anonymization are really effective to overcome GDPR challenges, we have to say that “not all that glitters is gold”.
Only a small percentage of companies are using this technique properly to protect personal information nowadays, and they are missing a big part of it by using it wrong.
So, what are the key concepts that need to be understood and how it really works from a GDPR scope?
Understanding key concepts related to Anonymization
As we said, anonymization can be really useful for companies in general for many reasons, for example, confidentiality. But what does this concept exactly mean and what can it be used for? What is anonymized information under GDPR? Is this information affected by GDPR?
There are many misunderstandings around this concept, and many studies have focused on bringing knowledge on this matter.
For example, The Spanish Agency of Data Protection (an independent public body in charge of enforcing the GDPR in Spain), said in “10 misunderstanding related to anonymization” that “both public and private entities are considering anonymization as a mean to share data without harming the fundamental rights of individuals”, but there exist some misconceptions around it.
About these misunderstandings, whe are going to focus on two of them, as they are really worth mentioning: “pseudonymization is the same as anonymization” and “anonymization of data is always possible”.
Regarding the first sentence, it is time for us to mention the GDPR perspective about anonymized information. For this regulation, the data protection principles apply to any information concerning an identified or identifiable natural person.
For the GDPR, pseudonymization is a technique of processing personal data where it can no longer be attributed to a specific individual without the use of additional information.
This means that by using this additional information, we can end up identifying the data subjects related to it, and this is the primary reason why pseudonymous data is still personal data, and GDPR principles still apply to it.
However, with anonymization we don’t let this happen, because this information does not relate to an identified or identifiable natural person, and the data subject is not or no longer identifiable.
Anonymized data is “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable”.
And if we said that GDPR applies only to the processing of information concerning an identified or identifiable natural person, we have to conclude that GDPR does not concern the processing of anonymous information, including for statistical or research purposes.
Around the belief that “Anonymization is always possible”, it reflects how important it is for companies to understand the context and risks of the process.
As we said at the beginning, this technique can play an important role in protecting personal data, ensuring data protection principles, and enabling companies to perform their activities overall.
Benefits and downsides of Anonymization
As we comment before, techniques like Anonymization allows companies to use personal information in a safe way, as well as complying with GDPR (finding that balance we mentioned previously).
However, there are some risks involved, such as re-identification, which is very related to the belief that “Anonymization is always possible”,
We have to keep in mind that, in order to “dodge” the GDPR regulation, this information needs to not relate to an identified or identifiable natural person or to personal data rendered in such a manner that the data subject is not or no longer identifiable”.
So, in this sense, it requires information not being re-identified (and this can be for sure the Achilees heel for companies).
Re-identification is turning anonymized information into personal data, and companies need to be concerned about how it can affect them ensuring data subject privacy rights.
Recital 26 GPDR says that in order to determine whether “means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.”
Companies need to understand that Anonymization is not always possible, and that they can’t always lower this re-identification risk, and it is crucial for them to analyze the context and nature of personal information.
They need to be aware about how malicious parties can try to re-identify information, and even when information is completely anonymous and does not relate to an identified or identifiable natural person, companies can´t be safe at all.
For all of these reasons, it is crucial for companies to understand the key concepts around Anonymization, and to keep in mind that if data subjects are identifiable by any manner, their information is affected by GDPR.
Only then, these techniques will prove to be effective to find a balance between achieving their goals and complying with privacy regulations.