Do You Know Anonymisation from Pseudonymisation?
Anonymisation is a term that we’re all pretty familiar with. However, in the context of data security and compliance, anonymisation has a specific definition. You may find out that data you thought was anonymous, actually has just been through a process of pseudonymisation. As the name suggests, this isn’t the real deal, it’s an imitation. And, although helpful in many circumstances, it impacts how you need to store and manage your data to stay on the right side of compliance.
What’s the difference between anonymisation and pseudonymisation?
Pseudonymisation is a security technique used to protect data subjects so they can’t be identified without the means to reverse the pseudonymisation. Whereas anonymisation means that an individual cannot be identified at all. The key here is that for data to be classed as truly anonymous, the anonymisation process must be irreversible.
With pseudonymisation, you can only tie the data back to the individual if you have access to the relevant information to make that process possible. This typically might be an ID or reference number. But, the fact it’s possible, means that this type of data can’t be classed as anonymous.
Anonymisation and pseudonymisation are used when dealing with personal data – but what information does that refer to?
What is personal data?
The UK GDPR defines personal data as:
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
As you can see the definition is very broad in scope – deliberately so. It also means that data that can’t identify an individual on its own, is still classed as personal data if a person can be identified when combining it with other known information. Which obviously makes things a little more complicated.
For example, date of birth on its own doesn’t allow me to identify an individual, as many people are born on the same day. However, if I combine this information with a job position and company, it becomes much more likely that I can identify a single person.
Personally Identifiable Information (PII) is a term more commonly used in the US and within businesses, however unlike ‘personal data’, it isn’t a legal term. PII is data that could potentially identify a specific individual. Some information, such as full name or passport number, is enough to identify an individual on its own. In other cases, separate pieces of data may need to be pieced together to identify someone at an individual level.
All PII is by its very nature, personal data. However, not all personal data would be classed as PII. Some examples of the types of data that fall into the personal data category but aren’t PII include; information such as device IDs and IP addresses.
Special category data – Sensitive personal data
Another area to be particularly mindful of is personal data which is classified as being sensitive.
Special category data which is sensitive in nature includes, but is not limited to racial or ethnic origin, religious beliefs, trade union membership and data related to health. Areas which Market Researchers could come into contact with due to the nature of the work.
You should question whether it’s necessary to collect this type of information. If it is required, make sure you get the relevant consent and that you comply with the GDPR.
Anonymisation, pseudonymisation and the GDPR
So, now we’ve cleared up the definitions of personal data we can move on to another area that may cause some confusion – anonymisation vs. pseudonymisation.
In both cases, the data you end up with could look very similar but it’s important to understand what type you’re dealing with for compliance purposes.
The good news is that anonymous data is not considered to be personal data at all. It doesn’t relate to an identified or identifiable person and therefore poses no risk to individuals if it were to be leaked, so it’s outside the scope of GDPR, which obviously has huge compliance benefit, phew!
The bad news is that just because you personally might not be able to identify an individual from the data you have access to, you need to consider if it’s possible at the data controller level – this would usually be your company. This can mean that you think you are dealing with anonymous data when you’re not!
Using pseudonymisation is good practice as a security measure to minimise the risk of a breach. However, in terms of compliance, it’s still classed as dealing with personal data.
It also makes sense to anonymise data wherever you can. However, for compliance purposes, make sure you’re clear whether the information is truly anonymous and not just using pseudonymisation.
Anonymisation & pseudonymisation in Market Research
The nature of Market Research means that often personal data is collected. Sometimes, it is needed for the analysis itself, other times it is required for the running of a project – but usually, it’s not needed ongoing.
A unique ID or reference number is commonly used to replace personal data and as an easy way to track or match back details in the future. When you’re analysing the data, from your perspective, the data may feel anonymous as you don’t know who the individuals are and may not have access to that information. However, if the data exists and a person can be identified with access to that data, a form of pseudonymisation has occurred rather than anonymisation.
The process is reversible and therefore is not anonymous, which we know is an important distinction for the purposes of compliance with the GDPR.
If you’d like more information about data security and compliance within Market Research, we’ve created a friendly guide just for you. It’s packed with helpful tips and best practice to help you navigate staying on the right side of the rules and regulations.
Transcriptions often include personal details and so you need to think about how you store and manage these documents too. To help you with the process, we have an optional anonymisation service available which is great for GDRP compliance. Simply add the anonymisation option on our online quote generator to get an instant price.