Processing large volumes of data provides various benefits to any sector of society (the scientific, educational, financial, commercial, legal sectors, etc.). Thanks to these, significant advances can be made in the development of services and in the well-being of humanity.
Processing must always respect and protect every human being’s personal data privacy by following the General Data Protection Regulation (GDPR). This is the only way it can truly serve society’s development.
One method of ensuring data privacy protection is anonymization, according to the GDPR. By using this technique, information that can identify individuals is removed. But how should anonymized data be processed according to this regulation?
What are anonymized data?
According to the GDPR, anonymized data have had all links to both identified and identifiable natural persons removed.
This is based on the understanding that:
An identified person is one who is clearly known or named, identified in the true sense of being recognized.
An identifiable person is one who can be identified, even if not explicitly identified.
Anonymized data is achieved through the process of disassociating and removing direct and indirect identifiers from personal data.
Direct identifiers show unique characteristics of a person, for example, their name, photograph, or address.
Indirect identifiers can be associated with a person, provided that they are linked to another group of information.
When the anonymized data cannot serve to identify the data subject, then they will no longer be regulated by the GDPR. Why? For the simple reason that truly anonymous data cannot be considered personal data. Therefore, they can be used freely.
However, certain rules must be followed in order to reach this point.
How to comply with the GDPR
In order to comply with the GDPR, the anonymization process must be irreversible. This means that identifying the data subject must be impossible for anyone to carry out, even for the company that provided the service.
Now, you may say that this seems like a simple requirement. However, according to the GDPR, achieving anonymization entails setting up secure procedures so that the resulting data are impossible to associate with another source of information, as it may identify the data subject.
How to be certain whether a person can be identified or not? The GDPR states that, in order to carry out an efficient anonymization process, the risk of re-identification by deduction or other techniques must be assessed.
If the anonymization process has not been carried out efficiently and there is a possibility of re-identification, then we are dealing with a pseudonymization process.
Pseudonymization vs. anonymization
Pseudonymization is the procedure for processing personal data in which identifiers are replaced with pseudonyms, and the linkage between the information and the data subject is safeguarded.
This results in the processed pseudonymized information and the additional binding information.
In GDPR anonymization, binding data or identifiers are deleted. On the contrary, pseudonymization protects them using concealment or encryption methods. It is therefore possible to use the pseudonymized data to identify the data subject again.
As a consequence, pseudonymized data remains personal information and its processing must be carried out in compliance with the GDPR.
With regard to pseudonymization, the regulation states that after extraction, binding data must be stored separately and far from the processed information. In addition, they must be subjected to certain measures to ensure their protection.
In contrast, anonymized data is not regulated by the GDPR. But if the procedure does not comply with true anonymization, the resulting data will remain personal data. Sharing these data would incur non-compliance with the GDPR.
Consequences of non-compliance with the GDPR
When organizations, companies, or institutions share poorly anonymized information, they fail to comply with the GDPR and, as a result, may face the following consequences:
Administrative penalties and fines.
Legal actions that may be filed by the person or group of persons affected in order to obtain compensation for damages.
Damage to the reputation of the company, due to the disclosure of the negligence or misuse of the data.
In addition to the consequences outlined above, if the negligence comes from the company providing the anonymization service, the client may take legal action against their provider.
Optimally, anonymized data are not regulated by the GDPR. As they cannot be used to re-identify the data subject, they can no longer be considered personal data.
It is always of utmost importance to use reliable and expert companies that work with the most advanced technology in the anonymization service and keep up-to-date with the GDPR. Poor advice or services, and negligent or inappropriate technology constitute a risk to proper compliance with the GDPR.
At Pangeanic, we are leaders in data anonymization services and use our own proprietary software based on artificial intelligence. In doing so, we ensure compliance with the European Union's GDPR and data protection regulations from other parts of the world, such as Japan and the USA.