How GDPR Compliant Pseudonymisation Enables Functional Separation to Defeat the Mosaic Effect
Anonymisation techniques and pre-GDPR forms of tokenisation (sometimes incorrectly referred to as pseudonymisation) are increasingly ineffective in today’s world of exploding volume, velocity and variety of easily obtainable Big Data. These factors combine to enable unauthorised re-identification of individuals via the Mosaic Effect. The Mosaic Effect occurs when a person is indirectly identifiable via linkage attacks because information can be combined with other pieces of information known to relate to the same individual, enabling the individual to be distinguished from others. 
see how it’s done

In contrast, Pseudonymisation – as now newly defined for the first time in GDPR Article 4(5) – enables Functional Separation by requiring that you cannot re-identify individuals via linkage attacks, except with access to “Additional Information” that is stored separately under the control of the data controller. Traditional Anonymisation techniques using static (or persistent) tokens to replace repeated occurrences of identifiers within and across datasets remain vulnerable to reidentification via the Mosaic Effect. They, therefore, do not satisfy GDPR definitional requirements for Pseudonymisation necessary to achieve desired Functional Separation.

The European Union Agency for Cybersecurity (ENISA) has published two reports since the adoption of the new GDPR definition of Pseudonymisation on best practices for compliant Pseudonymisation - in November 2018 and 2019. In addition, the Article 29 Working Party Opinion 06/2014 opined that Pseudonymisation - when implemented correctly - is an effective safeguard that can “play a role in tipping the balance in favour of the controller when evaluating steps taken to minimise the impact on data subjects under the Balancing of Interests Test required for Legitimate Interest processing.”

GDPR compliant Pseudonymisation requires that personal data must be transformed so that the identity of individuals cannot be discovered by linkage attacks. To achieve GDPR compliant Pseudonymisation, the practice of tokenization can be expanded to use dynamically-generated tokens applied to both direct and indirect identifiers, to enable reliable data protection in today’s Big Data world.

A Science journal article entitled Unique In The Shopping Mall: On The Reidentifiability of Credit Card Metadata deals with a version of the Mosaic Effect called “unicity” – i.e., how much outside information is needed, on average, to reidentify a specific individual. The article shows that four data elements represented by static (persistent) tokens are enough to uniquely reidentify 90% of individuals and highlights how metadata captured in several financial transactions by an individual designated by the same identifier “7abc1a23” can be used to reidentify them. An example of how GDPR compliant Pseudonymisation can defeat the Mosaic Effect is provided below – each time you depress the button labelled “CLICK HERE 4 TIMES” the next purchase is pseudonymised by replacing the static token “7abc1a23” with a different dynamically de-identifying Pseudonym to defeat unauthorised reidentification via the Mosaic Effect.

 

Without GDPR compliant Pseudonymisation, anyone can tell that the same person made four purchases in this example. However, with GDPR compliant Pseudonymisation, data about the Pseudonym used to obscure the activities of User ID “7abc1a23” is retained, but it is made available only to authorised parties under controlled conditions - it is not revealed to the outside world.

See how obscuring the purchases in 4 steps can protect against reidentification Purchases by User ID “7abc1a23” can Be Protected
1
2
3
4
Pseudonymised Purchase Table
Shop User ID Time Price Price Bin Pseudonymised
           
           
3092fc10 09/23 $43.78 $16 - $49  
           
4c7af72a 09/23 $12.29 $5 - $16  
89c0829c 09/24 $3.66 $2 - $5  
           
Additional Information
Time Pseudonym User ID
Original Purchase Table
Shop User ID Time Price Price Bin
7abc1a23 09/23 $97.30 $49 - $146
7abc1a23 09/23 $15.13 $5 - $16
3092fc10 09/23 $43.78 $16 - $49
7abc1a23 09/23 $4.33 $2 - $5
4c7af72a 09/23 $12.29 $5 - $16
89c0829c 09/24 $3.66 $2 - $5
7abc1a23 09/24 $35.81 $16 - $49
Derived from: Science 30 January 2015: Vol. 347 no. 6221 pp. 536-539 / DOI: 10.1126/science.1256297 / Science Magazine
Key Takeaways
GDPR compliant Pseudonymisation enables greater privacy-respectful use of data in today’s “big data” world of data sharing and combining. In addition, it enables data controllers and processors to reap explicit benefits under the GDPR including reduced obligations in the event of a data breach and other express statutory allowances.

To learn more about the benefits of Pseudonymisation, visit www.pseudonymisation.com.