Out-Law / Your Daily Need-To-Know

OUT-LAW NEWS 3 min. read

Anonymisation guidelines ‘can help businesses address data protection risks’

Glasses on woman reflect data on screen

South_agency/iStock


New guidance has been issued that can help businesses avoid miscategorising the information they hold and breaching EU data protection laws as a result, experts have said.

Anna Flanagan and Malcolm Dowden of Pinsent Masons, who specialise in data protection law, were commenting after the European Data Protection Board (EDPB) adopted new guidelines on anonymisation (34-page / 1.37MB PDF).

The processing of personal data is subject to data protection law. In the EU, the General Data Protection Regulation (GDPR) imposes a range of conditions on personal data processing, with the potential for significant financial penalties to be levied on organisations that do not comply with those conditions.

In some cases, organisations can achieve their objectives using data that has been stripped of identifiers and no longer qualifies as personal data. They might seek to remove information from which individuals can be identified from data sets, to reduce restrictions and compliance burdens affecting how they can use and share that data. This can also reduce risks to individuals.

Anonymised data falls outside the protection of the GDPR. However, data that is thought to have been fully anonymised might only have been "pseudonymised" or masked, meaning that it is still in scope of the law. The EDPB’s new guidance sets out its view of the practical tests to be applied to determine whether data is genuinely anonymised.

In GDPR terms, data will be anonymous only where it no longer relates to an identified or identifiable natural person, taking account of the means reasonably likely to be used by the relevant party to identify individuals. The EU’s highest court ruled last year that data can be considered anonymised in the hands of one party but not necessarily in the hands of another – it depends whether the recipient of data has the means to identify someone from the data. The EDPB said it is therefore “necessary to consider the different perspectives of the relevant entities” when performing the test for anonymity.

“Wrongly believing that personal data has been anonymised, only to find that re-identification is reasonably possible, is a common cause of GDPR infringement,” said Flanagan. “If data is wrongly treated as anonymous, the GDPR compliance measures that should accompany personal data processing, such as transparency information, lawful-basis analysis, data protection impact assessment where required, and appropriate security controls, may be absent or inadequate.”

Dowden added: “The EDPB's new guidance provides a structured and practical test. Following its steps and documenting reasoned conclusions will materially reduce the risk of breach.”

The EDPB has set out a three-step test to help businesses understand whether information is truly anonymised or whether there is still a risk of re-identification.

According to the EDPB, data should be treated as anonymous only where there is no realistic risk of record isolation, linkage or inference. In practice, this means assessing whether the data: contains a unique combination of attribute values that relate to a single individual; contains an individual’s record that could be linked, with certainty or high likelihood, to another record relating to the same individual in a different dataset; or allows specific and meaningful inferences to be drawn about an individual. The EDPB frames this as the ‘no record isolation, no linkage, no inference’ test, and its guidance provides detailed explanations and examples to help organisations apply those criteria in practice.

“The framework can be applied in two different ways: one which considers the differences in capabilities between those who might identify the data subject (‘the contextual approach’) and one which does not (‘the simplified approach’),” the EDPB said.

“The contextual approach reflects the full nuances of the legal standard for anonymisation and allows the controller to assess whether data is anonymous for each relevant entity based on their respective capabilities. The simplified approach, on the other hand, can go beyond the legal standard and may lead an anonymising controller to treat data as though it is not anonymous even if it would actually be so for some relevant entities. However, it also offers a more convenient option for controllers who choose to use it, provides greater confidence that data is actually anonymous and can be combined with the contextualised approach to refine the findings,” it said.

For UK organisations, the EDPB guidance should also be read alongside the UK Information Commissioner’s Office’s anonymisation guidance, which was updated last year. 

Trending topics across the site:

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.