Pseudonymisation best practices and techniques: ENISA publishes recommendations

December 6, 2019

The European Union Agency for Cybersecurity (ENISA) has published a report on pseudonymisation techniques and best practices, which explores the basic concepts of pseudonymisation, as well as technical solutions that can support implementation in practice.

In light of the GDPR, the challenge of applying pseudonymisation to personal data properly is a hot topic and is being discussed across a variety of different communities, ranging from research and academia to justice and law enforcement as well as compliance management.

The report discusses, in particular, the parameters that may influence the choice of pseudonymisation techniques in practice, such as data protection, utility, scalability and recovery. It also builds on specific use cases for the pseudonymisation of certain types of identifiers (for example, IP address, email addresses and complex data sets).

The report concludes that the field of data pseudonymisation in complex information infrastructures is a challenging one. It depends to a large extent on matters of context, the entities involved, data types, background information, and implementation details. 

Further, there is no single, easy solution to pseudonymisation that works for all approaches in all possible scenarios. The report states that it requires a high level of competence to apply a robust pseudonymisation process, reducing the threat of discrimination or re-identification attacks, while maintaining the degree of utility necessary for processing pseudonymised data. 

The report makes a series of recommendations, set out below:

Data controllers and processors should carefully consider the implementation of pseudonymisation following a risk-based approach, taking into account the purpose and overall context of the personal data processing, as well as the utility and scalability levels they wish to achieve.

Producers of products, services and applications should provide adequate information to controllers and processors about their use of pseudonymisation techniques and the security and data protection levels that these provide.

Regulators (e.g. data protection authorities and the European Data Protection Board) should provide practical guidance to data controllers and processors about the assessment of risk, while promoting best practices in the field of pseudonymisation.

The European Commission and the relevant EU institutions should provide support for defining and disseminating the state-of-the-art in pseudonymisation, in co-operation with the research community and industry in the field. 

The research community should work on extending the current pseudonymisation techniques to more advanced solutions which effectively address special challenges arising in the big data era. The European Commission and the relevant EU institutions should support and disseminate these efforts.