Pseudonymization is one strategy that could help businesses struggling to comply with the European Union's General Data Protection Regulation (GDPR).
GDPR goes into effect on May 25, bringing with it stringent new data privacy protections for companies with European customers – and steep penalties for failing to comply with those regulations.
One recent report found that a quarter of U.S. companies aren't sure if they're ready to meet GDPR compliance standards. "The challenge is due in part to confusion on behalf of many companies, primarily because there is not one software solution to buy that can help each corporation comply with the standard," said Kory Willis, senior director of IT at partner relationship management (PRM) provider Impartner. "Rather, it is up to each company to make sure that each technology vendor they use can comply with the standard."
Indeed, there are a number of technologies that can help companies comply with GDPR, among them data protection, managed file transfer, data mapping, privacy impact assessments, and individual rights compliance tools.
But Willis says the key to complying with GDPR is pseudonymization.
What is pseudonymization?
Pseudonymization is a form of data masking. It refers to a safeguard that can render a user's personally identifiable data, well, less personally identifiable.
The term can be found within the text of the law itself. Here's how Article 4 of the GDPR defines pseudonymization:
"'[P]seudonymization' means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person."
It's a mouthful, but what does it mean for data controllers and IT teams?
"Simply put, pseudonymization means storing an individual's information in many separate files, under many different names, so that no hacker could ever grab one file and have anyone's full information," Willis said. "If your information isn't pseudonymized, you're not compliant, and you could face huge consequences in just a few short months."
If a user's data record is pseudonymized, one file would not yield an attacker enough information to complete the user's record. Data must be stored in more than one data repository so an individual's total set of details would be protected if one file of information is ever breached, Willis said.
Pseudonymized data is different from anonymized data in some crucial respects.
Anonymous data is irreversibly altered so that the "data subject is not or no longer identifiable," states GDPR Recital 26, one of 173 such sections outlining the thinking behind the law. In short, there is no way of reassembling a user record if it's anonymized and therefore GDPR does not apply to the processing of such information used for research purposes. Pseudonymized data, however, may be reassembled with the use of a key or other additional information.
It seems fairly straightforward, but Willis cautions that organizations that aren't already pseudonymizing user data will face some added complexity implementing the privacy-enhancing procedure. It's not completely foolproof; there's still the risk of a persistent attacker being able to piece together a record if lax safeguards and security policies expose pseudonymization keys. But if properly used alongside data encryption, it can go a long way toward ensuring GDPR compliance.
How to implement pseudonymization
Pseudonymization involves much more than masking data on a technical level, Willis said. Here are some tips for IT teams looking to implement pseudonymization.
- Examine what kinds of data you're storing: Identify how and where you're storing personal data. Take a thorough inventory of the databases and systems where affected records are kept before even considering pseudonymizing them.
- Do you need the data that you think you need? If you're hanging on to personal data that doesn't add value or your organization simply doesn't need, consider getting rid of it, Willis said. Pseudonymization comes at a cost and adds complexity to your enterprise data management and governance operations. Why incur those burdens if the data isn't worth it to your organization?
- Enact good privacy policies: Clear and unambiguous privacy policies will not only help your European users know where they stand in terms of their personal data, it governs how your organization protects that data. Pseudonymization can help give those policies some much-needed bite.
- Target your databases: Look at your database and talk to your engineers, Willis advised. Besides making the case for data pseudonymization as it applies to GDPR, you'll need the expertise of your IT experts and database administrators to implement pseudonymization techniques.
There are several database vendors and data-masking specialists that can help businesses pseudonymize sensitive data. Here's a sampling:
- Anonos: The company's BigPrivacy platform can be used to transform data into a pseudonymized format.
- IRI: IRI FieldShield is a classification and masking tool for personally identifiable information stored in databases and files. It supports various methods of protecting user data, including pseudonymization.
- Protegrity: The data protection specialist's tokenization technology enables data pseudonymization for organizations that value data privacy.
- Oracle: Oracle suggests that customers use Oracle Data Redaction policies and Oracle Database Vault to pseudonymize data stored in its business database products.
- Striim: The data integration and streaming analytics provider announced in January 2018 that it had added data pseudonymization to its platform. Striim 3.8 includes built-in data masking functionality that the company claims can be easily implemented using the solution's interface.