You might already be familiar with the term anonymization. However, this term has a specific definition when you use it in the context of data security and compliance. Without a true understanding of the term and its specific meaning in data, you risk believing that your data is anonymous when you’ve only achieved pseudonymization. As the name suggests, pseudonymization isn’t the real deal, it’s an imitation. Although both might be helpful, the difference can affect how you need to store and manage your data. Here is a breakdown of anonymization and pseudonymization so that you can stay on the right side of regulatory requirements.
What’s the difference between anonymization and pseudonymization?
Pseudonymization is a security technique that helps protect data subjects from identification. However, with reverse pseudonymization, it still could be possible to restore information and identify a person. In contrast, anonymization prevents any identification of the subject at all. The key here is that to classify data as truly anonymous, the anonymization process must be irreversible.
With pseudonymization, you can only tie the data back to the individual if you have access to the relevant information to make that process possible. Typically, you would need something like an ID or reference number. Unfortunately, the fact it’s possible means that you can’t classify this type of data as anonymous.
Anonymization and pseudonymization are terms that relate to “personal data.” The UK GDPR has a specific definition for what constitutes personal data.
What is personal data?
According to the UK GDPR, “’personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
As you can see, the definition is deliberately very broad in scope. It also classifies data that can’t identify an individual alone but can in combination with other known information, as personal data. This approach makes things a little more complicated.
For example, a person’s date of birth on its own won’t allow you to identify them. After all, many people are born on the same day. However, if you combine this information with a job position and company, it’s much more likely that you can identify a person.
Personally Identifiable Information (PII) is a common term for this data in US and within businesses. However, unlike ‘personal data,’ PII isn’t a legal term. PII is data that could potentially lead to the identification of a specific individual. Some information, such as full name or passport number, is enough to identify an individual on its own. In other cases, you might need to piece together separate pieces of data to identify someone at an individual level.
All PII is, by its very nature, personal data. However, not all personal data qualifies as PII. Some examples of the types of data that fall into the personal data category but aren’t PII include; information such as device IDs and IP addresses.
Special category data – Sensitive personal data
Another area to be particularly mindful of is personal data classified as sensitive.
Special category sensitive data includes racial or ethnic origin, religious beliefs, trade union membership and health data. These are areas that Market Researchers could come into contact with due to the nature of the work.
You should question whether it’s necessary to collect this type of information. If you need this data, make sure you get the relevant consent and that you comply with the GDPR.
Anonymization, pseudonymization and the GDPR
With clear definitions of personal data in mind, we’ll move to another area that may cause confusion – anonymization vs. pseudonymization.
In both cases, the data you end up with could look very similar. Still, it’s important to understand what type you’re dealing with for compliance purposes.
The good news is that anonymous data is not personal data at all. It doesn’t relate to an identified or identifiable person and therefore poses no risk to individuals. Even if this data leaks, it’s outside the scope of GDPR.
The bad news is that even if you can’t identify an individual from the data you have access to, you need to consider data at the controller level. In most cases, your company would be the data controller. This situation can mean that you think you are dealing with anonymous data when you’re not.
Using pseudonymization is good practice as a security measure to minimize the risk of a breach. However, in terms of compliance, this information is still personal data.
It also makes sense to anonymize data wherever you can. However, for compliance purposes, make sure you’re clear about whether the information is truly anonymous and not just using pseudonymization.
Anonymization & pseudonymization in Market Research
In Market Research, collecting personal data is often the goal. Other times, the data is only necessary for a preliminary analysis.
A unique ID or reference number can replace personal data and offers an easy way to track or match back details in the future. When analyzing data, the information may feel anonymous because you don’t know who the individuals are or have access to that information. However, if the data exists and you can identify a person with access to that data, you’ve only achieved pseudonymization.
The process is reversible and therefore is not anonymous. As a result, this distinction creates an important consideration for the purposes of compliance with the GDPR.
If you’d like more information about date security and compliance within Market Research, reach out to Verbit.
Transcriptions often include personal details, so you need to think about how you store and manage these documents too. Contact Verbit for more information about how we can help you meet the demands of GDRP.