First published November 2016
When the new EU General Data Protection Regulation (GDPR) finally takes legal effect on May 25th, 2018, it will bring change to the whole data capture, storage and processing arena.
New comprehensive legislation will govern the way businesses must handle and protect personal data, with a specific focus on the privacy and rights of individuals. As such, one of the key areas of focus for the GDPR is data masking, and the new umbrella term – pseudonymisation.
The good news is that if you already have data masking procedures in place, the GDPR could be beneficial. But, if you haven’t thought about masking data before, you’ll need to focus on it now.
Data masking is typically defined as the process by which sensitive, classified or personal data is removed or hidden, and replaced by equivalent random characters, dummy information or fake data.
This ensures that a data set remains intact, but without the sensitive, identifying information that shouldn’t be used or seen by other parties. As such, this process can be used by software developers for building and testing purposes in non-production environments, or by operational analysts who are exploring and experimenting with different data types.
Data masking is also implemented in organisations where different members of staff have different levels of security clearance, so, for example, customer service agents may not be able to see the physical payment details of clients when discussing an account. By hiding sensitive data, a company is less susceptible to data breaches.
In other words, data masking has the potential to protect an individual’s data and privacy, which is the overarching purpose of the GDPR.
Under the new EU General Data Protection Regulation (GDPR), a new term is introduced to encapsulate procedures like data masking, encryption and hashing that all aim to secure and protect personal information. This umbrella term is referred to as pseudonymisation.
Article 4 defines pseudonymisation as:
“the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”
In practice, this means encrypting or masking data so that on its own, without an encryption key or mapping table, the data could not be used to identify an individual. It would remove any direct identifiers, and should ideally prevent indirect identifiers from being combined and used.
This separate identifying data – like an encryption key – should be kept in a separate location and subject to tight security controls.
Despite pseudonymised data removing any direct identifiers, because that information still exists – albeit in a separate, secure form – if it were to fall into the wrong hands it could be used to revert the data to an identifiable form and then acted upon in an inappropriate way.
Therefore, pseudonymised data is still classified as personal data, and cannot be considered anonymous. It’s important to make this distinction, because anonymous data is not subject to the GDPR controls and restrictions, whereas pseudonymised data is.
If the data can be re-identified with reasonable effort, it cannot be regarded as anonymous, despite data masking being used. However, if you were to mask data and then delete the original data set and its identifying information, it would be almost impossible to identify an individual and would thus be classed as anonymous.
Although pseudonymised data is still subject to data protection regulation, it is afforded a new distinct status under the GDPR, which could be beneficial to many businesses.
The current EU Directive on data protection does not recognise any distinction between regular personal data and pseudonymised data. Any kind of data masking is treated the same as raw personal data, and subject to the same, full weight of the law. As such, there is no incentive or regulatory benefit to putting in the extra effort and cost to protect data by masking, hashing or encryption.
The GDPR changes that. It specifically promotes the value and importance of pseudonymisation throughout its articles, encouraging companies to adopt such security measures as soon as possible.
The legislation specifically states:
“The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations.”
Under Article 32 ‘Security of processing’, the GDPR describes how businesses should ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’. The first example of these security measures it includes is pseudonymisation.
It’s clear that this is a central focus of the new law, so how could pseudonymisation be beneficial to a company?
There are strict new protocols on reporting data breaches under Articles 33 and 34 of the GDPR. If such a breach occurs, companies are responsible for reporting it to both the supervisory authority (within 72 hours) and to all of the individuals who could be affected (without undue delay).
This could be a big burden for businesses, on top of the damage done by a breach in the first place. Along with the financial costs to re-secure data, the requirement to notify individuals could bring about additional reputational damage and associated legal costs.
However, notification to individuals is only required if the breach is “likely to result in a high risk to the rights and freedoms of natural persons.” Article 34 goes on to state that it is not necessary if appropriate protection measures were in place on the personal data, such as encryption.
So by implementing data masking and pseudonymisation, businesses can mitigate the need to notify customers should any breach of data occur, and thus protect their reputation.
As the GDPR places more emphasis on the rights of the individual, much of the law is focused on the ability of a person to request information about what data a company holds on them. This is known as the ‘right of access’, and has the potential to be another large burden for businesses.
However, early interpretations of the GDPR suggest that data disclosure rules are greatly relaxed for pseudonymised data because it is too difficult for a business to identify a single individual.
A business is exempt from data disclosure obligations, including rights to access, rectification, erasure and data portability, if “the controller is able to demonstrate that it is not in a position to identify the data subject”. So, data masking can save a business from a lot of effort and expense.
Another core feature of the GDPR is the requirement that data is collected only for specific purposes that are clearly explained. The law states that data must not be used in any other way than that which it was originally collected for.
However, if the data has been pseudonymised, there is more leeway for it to be processed in other, additional ways. Article 6 states that several factors should be met for further processing, including “the existence of appropriate safeguards, which may include encryption or pseudonymisation”.
If a business wanted to process personal data for scientific, historical and statistical purposes, the GDPR also requires appropriate safeguards be in place – i.e. pseudonymisation.
One final benefit to businesses who implement data masking or other such pseudonymisation is that data profiling should still be possible, without running afoul of the law.
The GDPR makes broad statements about the use of profiling, and goes on to explain that businesses should not make ‘decisions’ about an individual that has a ‘legal effect’ – based on such automated processes – unless a number of legal criteria is met, including the explicit consent of the individual.
This has the potential to have ramifications for analytics and digital advertising. Although the law is somewhat ambiguous, pseudonymised data is likely to reduce any kind of ‘legal effect’ on an individual, and so profiling for analytical purposes should still be permitted.
The entire General Data Protection Regulations take a ‘carrot and stick’ approach. On the one hand, those businesses who put such ‘appropriate safeguards’ in place will be looked upon favourably. They will have certain requirements relaxed, have more flexibility with their processing, and could be protected from heavy fines if they have the necessary technical and organisational structures in operation. That’s the carrot.
On the other hand, the GDPR provides both regulatory bodies and individuals with additional powers to make data requests and legal claims against those companies which process their data. They have much more clout under the law to act against non-complaint businesses, thus further incentivising companies to protect personal data with procedures such as masking – for both production and non-production.
But the real stick is the heavy fines that can be imposed upon companies who break the law, are subject to data breaches, and do not have any kind of pseudonymisation in place. Those who do not have adequate protection and security could be subject to fines as high as 4% of global turnover. Compliance is, therefore, an absolute must and something which all departments need to understand.
If you don’t have any data masking or pseudonymisation procedures in place right now, it is highly likely that you will need to invest in them for when the GDPR takes full effect in 2018.
Need help getting your business ready for the GDPR? Find all the information you need in our resources collection.