Excerpt from CPO Magazine's Article "Data Anonymization and Pseudonymization Under the GDPR" by Felix Bauer | November 16, 2017Read Article Now
d-Wise's Insight on CPO Magazine's Article
Felix Bauer has talked about the differences between data anonymisation and pseudonymization, and for the most part he is correct. Pseudonymization does help protect utility of the data and goes some way to protect the privacy of individuals, but it does not go far enough. He goes on to say with the imminent implementation of the EU’s new GDPR regulations, many companies are not prepared. GDPR does not offer specific guidelines on how to ensure anonymisation of data can be carried out properly.
However, within the scope of clinical trial data sharing we do have more guidance from the EMA. Namely we have policy 0070 which offers some guidance on the publication of clinical data for medicinal products for human use. This discusses a threshold for a risk of re-identification of a patient. Although, the EMA has also fallen short in that they have not been clear on how risk should be calculated. They have refrained from stating what portion of the population is that should be considered when calculating the risk. For example, should the population be simply the number of people on that particular clinical trial, or participants of all trials within a therapeutic area, or even the population of a certain geographic area.
Most companies are being conservative and considering their population to be that of the actual study that they are anonymising. The vagueness being conveyed in the GDPR requirements as well as that of Policy 0070 has led many companies to anonymise aggressively with data utility being seen almost as an afterthought. Felix has not discussed how they calculate the risk of re identification and how they measure the damage to data utility after data anonymisation has taken place. These are two critical points that need to be discussed as data transparency and privacy laws evolve.