AEPD has recently published guidelines on anonymisation.
The AEPD has recently published guidance on anonymisation of data according to the principles of the GDPR. The process of anonymisation generates a new set of anonymous information from a set of personal data. This process must comply with the principles of the GDPR including accountability. A controller must therefore take appropriate measures to anonymise data and take into account all the necessary guarantees and risks to data subjects that the anonymisation process may be reversed. If the risk to rights and freedoms cannot be sufficiently reduced, it will be necessary to consider whether anonymization is the right way to proceed. For example, when anonymization processing cannot generate a set of data with the necessary quality requirements, such processing will not comply with the requirement of necessity, and the risk of re-identification will not meet proportionality criteria of the GDPR. In these cases, alternatives to anonymization will have to be considered.
The anonymisation process must satisfy a level of quality which provides reasonable proof of impossibility of re-identification.
According to the AEPD, “an anonymization process must generate a set of data that is evaluated as anonymous, through a process of proven quality in which it achieves reasonable evidence of impossibility of re-identification.” This process requires the right professionals, with knowledge of the best anonymisation techniques, and experience dealing with re-identification attacks.The process must be assessed through analysis and practical tests for possible re-identification of the data set. It is imperative that worst-case conditions be considered, such as re-identification attempts. It should be considered that the controller has adequate resources and the controller should expect and consider the possible evolution of known techniques. If under these conditions, the data or even just a part of the dataset could still be re-identified, there would be no question about risk of re-identification, and that dataset would simply not be considered anonymous.
Appropriate measures should be implemented, assuming that a residual probability of re-identification will always exist.
Despite all efforts, due to the fact of human error, no process is perfect and therefore a residual probability for re-identification of the data always exists and must be assumed by the controller. In any case, the controller must take appropriate measures to ensure compliance, taking into account the nature, context, scope, purposes and risks to the rights and freedoms of individuals.These measures also need to be periodically reviewed and updated. In the event of any significant impact on individuals’ rights and freedoms, assuming the residual probability of re-identification, certain measures will have to be taken to mitigate the risk to data subjects.
An initial class of measures should be implemented to reduce the impact of re-identification itself. Thereafter, a second class of measures that further reduce that residual probability of re-identification that must be assumed to exist by default should also be put in place.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.