The GDPR encourages companies to use pseudonymous data as a security measure or to ensure that the processed data is completely anonymous. But why is that?

Pseudonymous personal data

Means personal data treated under an pseudonym (codes or abbreviation) and the "key" to solving the pseudonym is kept in an separate system. The benefit of pseudonyms is that, if an hacker or other unauthorized person manage to get access to your database, they are unable to identify any persons based on the pseudonymmous data alone. E.g. a firm  uses customers number to track who buys what, and keeps the key to identify who is hidden behind the customer number in a seperate system. This is usefull since no one cares that  e.g.  E8900 buys ointment for a bad hip, it's only when you know that E8900 is Mr.. Solbjerg down from Amagergade 5, that the information becomes interesting. 

If you make pseudonymisation a habit for your firm it will also help you comply with the requirements of privacy by design and privacy default as per GDPR

Lastly personal data hidden behind pseudonymous is still considered as personal data. You must therefore still follow all the personal data processing rules, when handeling this data.

Anonymous personal data

Means personal data where it is no longer possible to find the person to whom the data relates to and the link to the named person(s) can not be restored. If the personal data has been completely anonymized, it means that the personal data is no longer regarded as personal data, see the Personal Data Regulation, since it is no longer possible to identify a person based on the information. An irreversible decoding has been made. 

The GDPR doesn't have a clear definition of when something has been irreversible decoded, it simply says that if it's possible to identify a person based on the keept information by using any aid (e.g. another computer system) the information hasen't been made anonymous. Consequently pseudonymous data isn't considered anonymous.

Did this answer your question?