Anonymous data: what is it?
In accordance with the provisions of Recital 26 of the GDPR, data protection regulations, and the GDPR in particular, do not apply to anonymous or anonymised data. But, what is this and when can a set of information be considered as such? We will try to solve this in this post:
What is anonymised or anonymous data?
Anonymous or anonymised data or information is something that makes it impossible to identify a natural person through different techniques that “separate” the information that identifies someone from the data that prevents their identification. The EU analysed the different anonymisation techniques in this format:
- Marta / Town / Postcode / Age / Disease: this is information on an identifiable person.
- City / Postcode / Age / Disease: this is anonymous information.
This impossibility of relating the anonymised information back to its original owner must be analysed from the perspective that there is no “reasonable probability” that this identification will occur.
For this, criteria such as the time that a re-identification process would take, the costs associated with it or the technological means required to achieve this must be assessed.
As said, the GDPR is not applicable to anonymous information. If we want to justify the non-necessity to comply with the GDPR based on the fact that we process anonymous information, we must be able to justify that this characteristic is actually fulfilled, making it impossible to identify or re-identify the person to whom the information was originally related.
What is the difference between anonymous and pseudonymous information?
Pseudonymised information does not allow for the identification of people unless additional information is used, provided that such information appears separately or independently.
Therefore, having someone’s personal information associated with a code and then separately having the information on who that code belongs to is not anonymous but pseudonymous information. The difference is essential because the GDPR does apply to pseudonymous data, so all the requirements it sets out must be taken into account.
The AEPD specifies these measures in 4 points:
- The process must prevent the identification of the person, without having additional information.
- The application of the basic principles of the GDPR: purpose, storage period and the communication of pseudonymous data.
- Apply appropriate measures based on the risk involved in the processing of this data.
- Apply technical and organisational measures to avoid security breaches, both of the pseudonymous data and of the additional information.
In short, the processing of correctly anonymised data is a very good formula to avoid compliance with the GDPR, with the advantages that this entails.
That being said, you should ask yourself the following questions for your project or company:
- Is it possible to achieve the purpose pursued with the collection of data, by anonymising them? If the answer is yes, feel free to do so. A basic principle of the regulations is to process the least amount of data the better to achieve an end and if it can be anonymous without identifying anyone, even better.
- If I can process data anonymously, can I ensure that it is impossible to re-identify natural people? Review the anonymisation techniques and choose the most appropriate one, taking into account the circumstances to avoid the impossibility of identifying the original owner of the information processed.
If you want to know more about the subject or you have any questions, do not hesitate to contact us!
Information on data protection
LEGAL IT GLOBAL 2017, SLP
Providing the service.
Sending the newsletter.
Compliance with the service provision.
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.