Personal Data Protection (Part 2)

Since the General Data Protection Regulation (GDPR) came into force in Europe, many techniques have been used by companies to effectively comply with the processing and protection of personal data, seeking to strike a balance between information security and the organization’s business needs.

In this regard, there are concepts that still cause considerable confusion and are often used interchangeably, even though they are in fact quite different. Due to a lack of understanding of these techniques, not all companies correctly use anonymization and pseudonymization to protect their customers’ personal data.

In brief, anonymization is a technique that removes those attributes of personal data that allow an individual to be identified, whereas pseudonymization consists of changing identifying attributes in such a way that a person cannot be identified without using additional information about that change.

Among the risks associated with personal data protection that these techniques help mitigate are:

• Identification: understood as the possibility of extracting from a dataset some records (or all of them) that identify a person.
• Linkability: the ability to relate two or more data points referring to the same data subject or group of subjects, whether through one or multiple data sources.
• Inference: the possibility of deducing, from simple or non-critical data and with significant probability, personal characteristics to which access should not be granted.

Anonymization of Personal Data

The anonymization process (or dissociation of personal data) consists of eliminating or minimizing the risk of identifying personal data. In other words, it is a technique by which the possibility of identifying the data subject is removed, while maintaining the truthfulness and accuracy of the results obtained from processing such data.

Anonymization must dissociate the personal data that allow the unique identification of a person. Once this process has been completed, the processing of anonymized data would fall outside the scope of the GDPR.

From that point on, the data controller may use this information in whatever form and manner is necessary, as individuals’ privacy is in no way compromised.

In general terms, there are two types of anonymization:

• Randomization: consists of modifying the accuracy of a dataset in order to eliminate the existing link between the data and its owner. This often involves the addition of “noise,” understood as altering values so they are less precise while preserving their overall distribution (the data remains accurate to a certain degree), as well as the permutation or “mixing” of values between two or more datasets, taking special care not to alter existing logical relationships.
• Generalization: consists of generalizing or diluting the specific attributes of natural persons by modifying their respective scales or magnitudes. This technique is effective in eliminating the risk of singling out individuals, but not in preventing linkability or inference. Therefore, it is often combined with other techniques to strengthen its effectiveness, such as aggregation, in order to prevent an individual from being isolated by grouping them with at least one group that shares the same value for a given attribute.

Other techniques that can be used to carry out the anonymization process include:

• Hash algorithms with a secret key: this technique involves generating a random value for each attribute in a personal data database and subsequently deleting the correspondence table containing the real data.
• Homomorphic encryption: allows operations to be performed on encrypted data (without the need to decrypt it at any time), such that the results of the operations are the same as if they had been performed on plaintext (unencrypted) data. The results are also encrypted, guaranteeing the privacy of the processing, as they are accessible only to the holder of the decryption key, if necessary. It is worth noting that this technique is not yet fully standardized and should therefore be used responsibly.
• Timestamping: time-based algorithms are used to guarantee the date and time at which anonymization was performed, or even electronic signatures to identify the person who carried out the anonymization.

Pseudonymization of Personal Data

The pseudonymization process refers to the processing of personal data in such a way that the data can no longer be attributed to a specific individual without the use of additional information, provided that such information is kept separately and subject to technical and organizational measures that ensure it is not attributed to an identified or identifiable natural person.

In other words, it involves processing personal information without the data that directly identifies the data subject, but without permanently removing the existing link between the data and the possibility of identifying its owner.

Although pseudonymized information does not allow the direct identification of the data subject, it should not be forgotten that such data remains personal data (since the identity of the data subject can be determined using additional information) and, as such, remains subject to the applicable data protection regulations.

For this reason, it is essential to protect the systems that allow reverse translation and make it possible to obtain the identity of the person to whom the data belongs.

The fundamental difference between anonymization and pseudonymization is that the former is an irreversible process, since it is never possible to link anonymized data back to the individual who owns it, whereas the latter merely limits traceability between the processed dataset and the natural person whose identity remains associated with it and is therefore a reversible procedure.

The most relevant pseudonymization techniques include:

• Encryption with a secret key: the holder of the key can easily reidentify the data subject. With this technique, it is only necessary to decrypt the dataset, since it contains the personal data, albeit in encrypted form. If advanced encryption systems are applied, the data can only be decrypted if the key is known.
• Hash function: a function that returns a fixed-size output from an input of any size (which may consist of a single attribute or a set of attributes). This function is not reversible, meaning there is no risk of reversing the output as in the case of encryption; however, if the range of possible input values is known, those values can be passed through the hash function to obtain the real value of a specific record.
• Function with stored key: a type of hash function that uses a secret key as an additional input value. The data controller can reproduce the execution of the function using the attribute and the secret key.
• Tokenization: a technique commonly used in the financial sector to replace card identification numbers with values that are of little use to attackers. It is usually based on the application of one-way encryption mechanisms or on assigning, via a function, a sequence number or a randomly generated number that does not mathematically derive from the original data.

Risk Mitigation

In general, current techniques do not fully meet the criteria required to achieve 100% effective anonymization or pseudonymization. In one way or another, all of them involve some level of risk related to the identification of an individual through managed data. Therefore, it is essential to study and design each technique carefully, paying particular attention to the nature of the data and its subsequent use or processing.

To verify whether there is a reasonable likelihood that means could be used to identify a natural person, all objective factors must be taken into account, such as the costs and time required for identification, as well as the technology available at the time of processing. Other factors that may facilitate data reidentification include:

• Technological evolution: as time progresses, new tools may emerge that make data reidentification easier.
• The emergence of new information or data sources: this information is especially accessible through the internet, social networks, blogs, and other platforms.
• The inherent characteristics of the information: some data can be more easily linked to a specific person than others.

This set of circumstances increases what is known as the “risk of reidentification,” which refers to the possibility of obtaining the original data from anonymized data.

Since it is not possible to fully guarantee the non-reidentification of individuals, it is important for data controllers or, where applicable, personal data protection officers to have a thorough understanding of the strengths and weaknesses of each technique, as well as the specific circumstances in which one or another should be applied, in order to ensure data privacy at all times.

Furthermore, regardless of the technique chosen, the anonymization and/or pseudonymization process should be incorporated into the organization’s working procedures, documented and auditable over time by interested parties, with data controllers regularly assessing existing risks and implementing security measures to mitigate them.