In contrast, Pseudonymisation – as now newly defined for the first time in GDPR Article 4(5) – enables Functional Separation by requiring that you cannot re-identify individuals via linkage attacks, except with access to “Additional Information” that is stored separately under the control of the data controller. Traditional Anonymisation techniques using static (or persistent) tokens to replace repeated occurrences of identifiers within and across datasets remain vulnerable to reidentification via the Mosaic Effect. They, therefore, do not satisfy GDPR definitional requirements for Pseudonymisation necessary to achieve desired Functional Separation.
The European Union Agency for Cybersecurity (ENISA) has published two reports since the adoption of the new GDPR definition of Pseudonymisation on best practices for compliant Pseudonymisation - in November 2018 and 2019. In addition, the Article 29 Working Party Opinion 06/2014 opined that Pseudonymisation - when implemented correctly - is an effective safeguard that can “play a role in tipping the balance in favour of the controller when evaluating steps taken to minimise the impact on data subjects under the Balancing of Interests Test required for Legitimate Interest processing.”
GDPR compliant Pseudonymisation requires that personal data must be transformed so that the identity of individuals cannot be discovered by linkage attacks. To achieve GDPR compliant Pseudonymisation, the practice of tokenization can be expanded to use dynamically-generated tokens applied to both direct and indirect identifiers, to enable reliable data protection in today’s Big Data world.
A Science journal article entitled Unique In The Shopping Mall: On The Reidentifiability of Credit Card Metadata deals with a version of the Mosaic Effect called “unicity” – i.e., how much outside information is needed, on average, to reidentify a specific individual. The article shows that four data elements represented by static (persistent) tokens are enough to uniquely reidentify 90% of individuals and highlights how metadata captured in several financial transactions by an individual designated by the same identifier “7abc1a23” can be used to reidentify them. An example of how GDPR compliant Pseudonymisation can defeat the Mosaic Effect is provided below – each time you depress the button labelled “CLICK HERE 4 TIMES” the next purchase is pseudonymised by replacing the static token “7abc1a23” with a different dynamically de-identifying Pseudonym to defeat unauthorised reidentification via the Mosaic Effect.
Without GDPR compliant Pseudonymisation, anyone can tell that the same person made four purchases in this example. However, with GDPR compliant Pseudonymisation, data about the Pseudonym used to obscure the activities of User ID “7abc1a23” is retained, but it is made available only to authorised parties under controlled conditions - it is not revealed to the outside world.
|Shop||User ID||Time||Price||Price Bin||Pseudonymised|
|3092fc10||09/23||$43.78||$16 - $49|
|4c7af72a||09/23||$12.29||$5 - $16|
|89c0829c||09/24||$3.66||$2 - $5|