Skip to content

EU – ENISA releases report on data pseudonymisation for controllers and processors

On 28 January 2021, the European Union Agency for Cybersecurity (ENISA) released a report on data pseudonymisation techniques (the Report).

The Report, which aims to support controllers and processors implementing data pseudonymisation as an important security and data privacy measure, provides detailed guidance on basic and advanced pseudonymisation techniques, such as asymmetric encryption, secure multiparty computation and pseudonymisation based on multiple identifiers or attributes and others. It also includes examples of how pseudonymisation can be used in the healthcare sector and for cybersecurity information sharing.

The Report recommends further discussion on the adoption of pseudonymisation techniques at an EU and Member State level. ENISA also flags the significance of pseudonymisation (in particular the advanced pseudonymisation techniques) as a potential supplementary measure for cross-border data transfers following the CJEU decision in Schrems II.

The Report recommends the following steps when considering and implementing a pseudonymisation technique:

  • each processing activity should be analysed to determine the most suitable technical option in relation to pseudonymisation, combined with security and data protection risk assessment;
  • the overall context and characteristic of the processing activity should be considered before applying pseudonymisation;
  • monitoring of developments in pseudonymisation to establish and maintain the state of art in pseudonymisation, especially addressing challenges appearing from emerging technologies, such as AI; and
  • developing advanced pseudonymisation scenarios for more complex cases, for example when the risks of personal data processing are deemed to be high.

The ENISA press release is available here and the Report is available here.