ENISA’s new report explores pseudonymisation techniques and use cases for healthcare and information sharing in cybersecurity.

The European Union Agency for Cybersecurity (ENISA) released its report on pseudonymisation for personal data protection – Data Pseudonymisation: Advanced Techniques and Use Cases – providing a technical analysis of cybersecurity measures in personal data protection and privacy. This new work builds on the Agency’s past work on pseudonymisation techniques and best practices by exploring further, advanced pseudonymisation techniques and specific use cases in such areas as healthcare and information sharing in cybersecurity.

While not a new process, pseudonymisation came into the spotlight in 2018 with the enforcement of the General Data Protection Regulation (GDPR), which references pseudonymisation as a security and data protection by design mechanism. Although the deployment and proper application of data pseudonymisation techniques have become highly debated, the overall context of the processing is considered as an important aspect for implementation. Therefore, pseudonymisation should be combined with a thorough security and data protection risk assessment.

EU Agency for Cybersecurity Executive Director Juhan Lepassaar said: “Cybersecurity techniques are an integral part to meet data protection obligations, and allow users to enjoy fully their fundamental rights to personal data protection and privacy.”

As there is no one-size-fits-all pseudonymisation technique, a high level of competence is needed to reduce threats and maintain efficiency in processing pseudonymised data across different scenarios. The ENISA report aims to support data controllers and processors in implementing pseudonymisation by providing possible techniques and use cases that could fit different scenarios.

The report underlines the need to take steps that include the following:

• Each case of personal data processing needs to be analysed to determine the most suitable technical option in relation to pseudonymisation;
• An in-depth look into the context of personal data processing before data pseudonymisation is applied;
• Continuous analysis of state-of-the-art in the field of data pseudonymisation, as new research and business models break new ground;
• Developing advanced pseudonymisation scenarios for more complex cases, for example when the risks of personal data processing are deemed to be high;
• Further discussion on the broader adoption of data pseudonymisation at EU and Member States levels alike.

Want to know more about the project? Keep following INCISIVE on Linkedin and Twitter to keep updated with its next developments.