Anonymity in the digital world: the greatest comfort for consumers, and our old friend Ron Swanson. There have been some rumors that pseudonymization under the General Data Protection Regulation (GDPR) can get you pretty close, but will it provide the same level of security?
If you’re up-to-date on your GDPR news, you’ll know that total compliance with the new European Union (EU) privacy legislation begins next May. And if you think it has nothing to do with you, think again: It includes Canadian businesses, regardless of size, because its intent is to strengthen and unify data protection for all individuals within the EU—but it also addresses the export of personal data outside of it.
That’s right: Since the data privacy standards of GDPR are based on citizenship (not geography) it means Canadian businesses will probably find themselves involved at some point or another. If you’ve got customers who are European citizens, you’re in scope. It doesn’t matter where you conduct your business. Do you run a gift shop in the nation’s capital that’s constantly packed with tourists from EU member countries? Well, you’re in. What about an online retail business on Canadian soil, but you’re fulfilling orders from EU citizens? You’re in, too.
Meet pseudonymization and anonymization
The good news is that GPDR aims to protect the privacy of citizens, stating that they must give consent to organizations that want to use their personally identifiable data (PII). It calls out pseudonymization several times as a useful tool to protect data—but what is it?
According to the legislation, it’s the “processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately.” Simple, right? Pseudonymization breaks down PII so identifiers that could link the data to a specific person are no longer linked to the other data. Unless the data is re-linked, the person remains unidentifiable.
One step further would be anonymization, which is when the “data subject is not or [is] no longer identifiable.” It’s definitely harder to achieve, but sometimes it’s required depending on the nature of the data. Anonymization irreversibly wipes out any way of identifying the data subject. And that sounds pretty good to us.
Pseudonymization isn’t new—remember data masking and hashing? Data masking replaces sensitive data with fictitious yet realistic data. It’s the de facto standard for achieving pseudonymization and helps reduce risk to the data while maintaining its usefulness. Pseudonymization and anonymization have historically (and incorrectly) been seen as interchangeable in the data security world—but they’re not. With GDPR, you need to understand the difference.
Know what the GDPR expects of your team
With pseudonymization, direct identifiers are removed or obscured—plus a few indirect identifiers that could be pieced together to reveal a person’s identity. The data points are stored in a separate database that could be linked to the de-identified database using a key, like a random identification number. Since this data can be reassembled, there’s always the risk of reidentification. In a malicious plot, a threat actor could obtain the key to the pseudonymized data. But even without a key, an attack could link together the indirect identifiers in the pseudonymous database with other available information to correctly identify individuals.
To fall in line with GDPR, this means that your organization will need to impose safeguards to prevent “unauthorized reversal of pseudonymization.” This can be achieved through technical means like encryption, hashing or tokenization, or organizational measures like agreements and policies that’ll keep pseudonymous data far away from your identification key.
Go beyond PIPEDA—for your users
You may be asking yourself: “But what does this mean for Canada?” Yes, the privacy of Canadian citizens is already covered under the Personal Information Protection and Electronic Documents Act (PIPEDA)—but since the goal of the European legislation is to protect its citizens, Canadians will benefit as a side effect. In the meantime, the federal privacy commissioner recently made calls for beefed up powers for PIPEDA compliance via binding orders and AMPS.
But here’s the good news: Existing technology can support compliance. At its foundation, compliance is a data management issue, beginning with a complete mapping of how data is collected stored and used. Is it PII? What are the downstream systems that extract and consume it? How secure are those systems? Creating a consistent taxonomy is essential for compliance if you’re going to apply pseudonymization.
GDPR provides the flexibility for companies to use PII for “general analysis” if they pseudonymize the data. But it doesn’t get rid of the need for consent to process that data, or the need to implement a framework to comply with the legislation in concert with the necessary IT. So you can rest easy, because your data will be more secure—for now.