- 01 Aug 2023
- 2 min read
Jargon explained: What do encryption, anonymisation and pseudonymisation mean in data protection law?
Encryption – This is a method of encoding personal data so that access to it is limited to those that have the ‘encryption key’ which decodes the data. Encryption is therefore a method of providing some protection to personal data. For example, you may encrypt personal data on a USB stick which you need to send to someone in the post so that if it gets intercepted in the post the data is useless as only the intended recipient will be provided with the necessary encryption key. It is also likely that your computer system encrypts data it stores so if an employee loses their laptop on the train there is some protection for the data held on it, but you should check this.
To add to the technical language you may hear mention of two types of encryption: symmetric encryption (where there is one key to encode and decode the data) and asymmetric encryption (where there are separate keys to encode and decode). Either way it is essential to the protection of the personal data that the encryption key(s) are kept secure and are only made available to the right people and in the right circumstances otherwise the protection afforded by encryption is compromised.
Anonymisation – There is no definition of anonymised or anonymisation in data protection law but it is an important concept as personal data ceases to be personal data (and therefore ceases to be subject to data protection law) if it has been anonymised.
The ICO explain that: “You can consider data to be effectively anonymised when it:
- does not relate to an identified or identifiable individual; or
- is rendered anonymous in such a way that individuals are not (or are no longer) identifiable.”
Pseudonymisation – Unlike anonymisation this term has been clearly defined in data protection law. Under Article 4(5) of the UK General Data Protection Regulation (UK GDPR) pseudonymisation means:
“…processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”
For example, your organisation is selling one of its business divisions and you need to provide the purchaser with a list of the 20 company cars used by its employees. Your organisation has a list of the company cars with the following information: driver name, registration, make, model, year of registration, mileage and fuel type. However, when you provide this information to the purchaser you delete the driver name and registration and instead give each car a number from 1-20. As a result you are able to keep your list the same but the list the purchaser sees is pseudonymised.
Unlike anonymised data, pseudonymised data is still personal data for so long as the original set of data is retained and therefore, like encryption, it acts as a useful security measure for the personal data.
Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421.
If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].