Pseudonymisation and encryption are the only technological measures specifically mentioned in the GDPR (General Data Protection Regulation).
But what exactly is meant by ‘pseudonymisation’ and ‘encryption’? Are these measures mandatory? More importantly, how can organisations go about implementing them?
What is pseudonymisation?
Pseudonymisation is the process of replacing personally identifiable information. The PII is replaced with artificial identifiers which are known as pseudonyms. They are designed to conceal the data subject it relates to.
For instance, you might replace data subjects’ names, addresses or other data with reference numbers or other random character sets.
In the event of a breach, it would be impossible to connect it with the data subject. You will need additional information which should be held separately.
Though vital to protecting data, pseudonymisation has its limits. This is both in terms of practicality and the risk of re-identification. For more efficient data protection, you must consider encryption for your organisation.
What is encryption?
Encryption is a form of cryptography and is a way of safeguarding data against unauthorised access. This is achieved by encrypting it through use of a mathematical function known as a key. Without the key to decrypt, the data is inaccessible and rendered useless.
This means that if you encrypt the personal data you process, there will be no risk to the rights and freedoms of data subjects, even if you suffer a data breach. This because the encrypted data will be unavailable to any unauthorised party without the decryption key.
There are many types of processing activity where encryption would be appropriate. There are many encryption algorithms you can use. Some use the same key for both encryption and decryption. Other types use different keys.
The ICO (Information Commissioner’s Office) has published guidance to help you decide which is most suitable for your needs. Encryption is not mandatory under the GDPR. One way to determine if it is appropriate is to conduct a DPIA (data protection impact assessment).
DPIAs are mandatory where processing could result in a high risk to the data subjects. They will help you determine safeguards (such as encryption) that are appropriate to the risk.
Conducting DPIAs is good practice even if the risk is initially perceived as low. However, your assessment may reveal risks you had not considered.
It’s also important to note that Article 4(2) defines processing as “any operation or set of operations which is performed on personal data”, such as “adaptation or alteration”.
So, even if you only encrypt personal data, you are still processing it under the Regulation and must abide by its requirements.
The ICO recommends that organisations:
- Have a suitable policy in place governing the use of encryption. The policy must include guidelines that enable staff to understand when it should be used.
- Store personal data “in an encrypted form to protect against unauthorised access or processing. Especially if the loss of the personal data is reasonably likely to occur and would cause damage or distress to individuals”. And
- Use “an appropriate encrypted communications protocol” when transmitting personal data. Be this over the Internet, over a wireless communication network (e.g. Wi-Fi), or when the data will pass through an untrusted network.
No Silver Bullet
Although pseudonymisation and encryption can be effective methods of safeguarding your data, these measures alone won’t fully protect your organisation.
It’s advisable to make sure data protection is a top priority for all staff. Knowledge of the related processes and procedures should be commonplace. Data protection expertise should be made available to enable your organisation to keep functioning while data is kept safe.
Call us today on 03333 22 1011 or contact us here.