Nixon Law Group

View Original

PAUBOX GUEST BLOG: The GDPR and Pseudonymization vs. Encryption

Which is "better"? Which should you choose?

On May 25, 2018, European law officially enforced the General Data Protection Regulation (GDPR). The GDPR was created to protect the personal data of EU citizens. 

Personal data refers to anything that someone could possibly use to identify a person within a larger group, otherwise known as personally identifiable information (PII) or protected health information (PHI) in the United States. 

Personal data can include IP addresses, email addresses, and usernames. When any of this information is presented on a screen, transmitted over a network, or logged into a file, they are “processed” and should be encrypted. Failure to do so can lead to penalties of 20 million Euros or 4% of annual global turnover.

In order to secure personal data, an organization must encrypt it. However, there are different forms of encryption organizations can use.
 
We’ll be diving into two GDPR-compliant encryption methods in this article: standard encryption and pseudonymization.

What is the difference between Pseudonymization vs Encryption?

Under Article 32 of the GDPR, controllers are required to implement risk-based measures for protecting data security. One risk-based measure is the “pseudonymization and encryption of personal data” (Article 32(1)(a)). 

But what exactly is pseudonymization and encryption, and what’s the difference between them?

Pseudonymization

Pseudonymization is a GDPR-approved technique that encodes personal data with artificial identifiers such as a random alias or code. It’s similar to writers who use pseudonyms to hide their identities.

Though pseudonymization is a "false" anonymization because the data can be linked back to a person, the personal identifiers are stored elsewhere. This additional information would be required to re-identify the data subject, thus making it a secure practice.

The GDPR specifically describes pseudonymization in Article 3, as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” To pseudonymize a data set, the “additional information” must be “kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable person.”
 
Pseudonymization is mentioned 15 times total in the GDPR and it is a central idea in the “data protection by design” concept. 

However, pseudonymization is also considered partial encryption, which is why the GDPR mentions standard encryption as well.

Encryption

Encryption is the safest and most straightforward technique to secure data. When you encrypt data, the data is rendered unintelligible to those who are not authorized to access it, even in the case of data breaches.
 
Data encryption translates data into another form, or code, so that only people with access to a secret key (known as a decryption key) or password can read it.
However, not all forms of data encryption require passwords or decryption keys. With seamless encryption putting data usability alongside security, encryption isn’t as cumbersome as it used to be.

Seamless encryption also ensures the security of data during transfer as well as the security of static data.

Encryption is explicitly mentioned as a legitimate way to address the security of processing personal data—one of the GDPR’s key requirements.
 
Companies that encrypt their personal data also gain the advantage of not having to notify data subjects in the case of a breach. However, notifying the local DPA would still be required. 

Which is better: Pseudonymization or Encryption?

Encryption and pseudonymization are similar to one another. Both techniques secure data by replacing it with something else.

However, one key difference between encryption and pseudonymization is the data’s accessibility. With encryption, only approved users have access to the secured data. Pseudonymization allows a broader audience to access some of the data while obscuring the “key” fields.

Pseudonymization and encryption can be used simultaneously or separately. The GDPR mentions both, but doesn’t mention which method is preferred.

In our opinion, encryption is better than pseudonymization.

Why? Think of how you’re going to be communicating and storing the secure data. Odds are, you’ll need to transmit personal data over email at some point. In order to be GDPR compliant, you’ll need to utilize an encrypted email solution to do so.

Ideally, the solution will employ seamless and universal encryption so you won’t have to access the data with passwords or decryption keys. Every email will be secured in transit and at rest, regardless of content.

Remember, pseudonymization is considered a partial encryption. Standard encryption is an IT standard to securing data. And with GDPR being freshly enforced, it’s better to be extra safe with full encryption than partial encryption with pseudonymization.

Need help setting up compliant data privacy tools and processes? Click here to find out how we can help.