The pseudonymization and encryption of personal data is required by the GDPR, but before we dive into this, ask yourself: how confident am I in my understanding of these terms? Even seasoned IT professionals struggle with these – especially when spelling and pronouncing them.
Of course, there are no penalties for misspelling pseudonymization, but if you don’t understand how it relates to processing personal data you could be in trouble. Remember, the GDPR includes the potential for penalties of 20 million Euros or 4% of annual global turnover.
Pseudonymization is a process of replacing the identifying fields within a data-set with pseudonyms, or artificial identifiers. Information like email address, gender, nationality, location, and countless other characteristics is replaced with an alias or code that preserves the relevance of the data while ensuring the privacy of individual data subjects. For an in-depth review of the topic, the International Association of Privacy Professionals (IAPP) has a great article here.
Pseudonymization is mentioned in the GDPR 15 times and it holds a central place in the data protection by design concept. While it can be a powerful tool for protecting the privacy and security of personal data, pseudonymization has its limits, which is why the GDPR also mentions encryption.
Encryption and pseudonymization share many characteristics. Both techniques obscure data by replacing it with something else. I’m oversimplifying here, but encryption is designed to ensure only approved users have access to a data-set while pseudonymization allows a broader audience to access part of the data-set, obscuring only “key” fields.
Pseudonymization and encryption are techniques that can be used simultaneously or separately. The GDPR mentions both, but the guidance provided on when to choose which is minimal. The text of Article 32 reads:
The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymization and encryption of personal data;
Consider the case of remote control software. Help-desk technicians use remote control to assist individuals and to manage devices. In these instances, personal information like IP address, username, and email address are necessary to facilitate connections. For remote control software to work you need to know the personal data, not an alias or code. Appropriate security in the context of remote control is not pseudonymization, its encryption.
Though it’s easier to spell, developing a full understanding of encryption is significantly more difficult. Cryptographic processing, message verification, key management – these are just a few of the sub-topics a deep discussion of encryption will include. Let’s not go there right now.
Don’t get me wrong, encryption is a fascinating subject matter. I’m a huge fan of Neal Stephenson’s Cryptonomicon, but even my eyes glaze over when thinking about asymmetric key encryption or pseudorandom number generators. The takeaway for organizations interested in compliance with the GDPR is to embrace encryption. Organizations should look for tools that incorporate encryption as part of their standard operating protocols.
Consider again the example of remote control software. Personal data is likely processed
- When the screen of the remote device is presented in the graphical user interface
- Within the remote control program’s configuration files & settings
- During the transmission of data between endpoints
- Whenever log files or audit records are generated
To ensure your use of remote control software is compliant, you need to ensure the software encrypts the communication between endpoints (transmission of the screen, files, any data in motion) as well as the data at rest used by those endpoints (configuration files and logs).
Features integrated with basic remote control also need encryption. Files transferred between computers may contain personal data. Text, audio or video chat between a help desk technician and the remote user will contain personal data. If you are using a comprehensive remote control tool, you need to make sure it includes comprehensive encryption that covers all the relevant elements of the software.
Remember, the GDPR defines personal data very broadly. IP addresses, email addresses, and usernames all qualify as personal data. When those items are presented on a screen, transmitted over a network or logged into a file they are “processed” and should be encrypted.
For a comprehensive guide to aligning your remote access solution with the General Data Protection Regulation, check out our free eBook "The Essential Guide to GDPR Compliant Remote Access."
It would be nice if pseudonymization and encryption were the only issues you had to deal with in your GDPR compliance odyssey, but it’s just the beginning. Subscribe in the sidebar to receive notifications when I post articles about how Consent, Data Minimization, and the Right-to-be-forgotten impact your choice of remote control solutions.