Don’t Miss the Latest

When you subscribe to the d-wise blog, you’ll get the latest
industry trends, news and tips right in your inbox!

No, thanks. I don‘t need to stay current.

Life Science News - "Data Anonymization and Pseudonymization Under the GDPR"

Excerpt from CPO Magazine's Article "Data Anonymization and Pseudonymization Under the GDPR" by Felix Bauer | November 16, 2017


"Companies that handle data are currently faced with constraints placed on them by data protection laws. The EU General Data Protection Regulation (GDPR) will come into effect on May of 2018 and will introduce firmer regulations, and imposing heavier penalties for failing to comply with these laws. Data protection regulations are necessary to protect the data security and privacy of individuals. To satisfy these regulations and keep user data safe, companies may need to engage in data anonymization. This is the best way to simplify the process of complying with privacy regulations. Unlike pseudonymization, data anonymization allows companies to work with their data, stay compliant with regulations, and protect the privacy of individuals. Companies can use tools, such as Aircloak’s solution, to accomplish this.

What is data anonymization and pseudonymization?

Data protection laws exist to protect the personal identity of people whom the data describes. If the data subject is not identifiable in any way, data protection law does not apply. That is, when it becomes impossible to connect individuals to the data, people controlling and processing the sensitive data are not restricted in data use or sharing. On the other hand, an identifiable data subject can result in legal consequences including damage claims, loss of reputation, and fines or penalties.

The purpose of data anonymization is privacy protection. It involves the modification of data sets so that no personally identifiable information remains. As a result, data can be used and transferred without individuals’ identities being disclosed unintentionally. This is necessary before analytics can be performed on the anonymized data."

Read Article Now

d-Wise's Insight on CPO Magazine's Article

Felix Bauer has talked about the differences between data anonymisation and pseudonymization, and for the most part he is correct. Pseudonymization does help protect utility of the data and goes some way to protect the privacy of individuals, but it does not go far enough. He goes on to say with the imminent implementation of the EU’s new GDPR regulations, many companies are not prepared. GDPR does not offer specific guidelines on how to ensure anonymisation of data can be carried out properly.

However, within the scope of clinical trial data sharing we do have more guidance from the EMA. Namely we have policy 0070 which offers some guidance on the publication of clinical data for medicinal products for human use. This discusses a threshold for a risk of re-identification of a patient. Although, the EMA has also fallen short in that they have not been clear on how risk should be calculated. They have refrained from stating what portion of the population is that should be considered when calculating the risk. For example, should the population be simply the number of people on that particular clinical trial, or participants of all trials within a therapeutic area, or even the population of a certain geographic area.

Most companies are being conservative and considering their population to be that of the actual study that they are anonymising. The vagueness being conveyed in the GDPR requirements as well as that of Policy 0070 has led many companies to anonymise aggressively with data utility being seen almost as an afterthought. Felix has not discussed how they calculate the risk of re identification and how they measure the damage to data utility after data anonymisation has taken place. These are two critical points that need to be discussed as data transparency and privacy laws evolve.


About the Author

Leave a Comment