Eighteen months on from the UK Information Commissioner, John Edwards, calling for all organisations sharing large volumes of data to consider using “privacy enhancing technologies” (PETs) (explained in this blog), regulatory focus on this area is increasing across the UK and EU. A new tool from the Information Commissioner’s Office (ICO) and the Department for Science Innovation and Trade (DSIT) emphasises the benefits of PETs for data protection compliance, while the European Data Protection Board (EDPB) has issued new guidance on pseudonymisation for consultation.
In this blog we outline important takeaways from these two pieces of guidance.
EDPB Guidelines 01/2025 on Pseudonymisation
The EDPB guidance confirms that pseudonymisation requires more than just substituting names for other identifiers (such as pupil names for candidate numbers). It involves:
- the modification of personal data so it cannot be attributed to a data subject without additional information;
- the additional information being kept separately; and
- technical and organisational measures being put in place to ensure the data is not attributed to individuals.
The guidance introduces a new concept of the ‘pseudonymisation domain’, to capture the particular facts of the data sharing scenario. Controllers’ analysis and actions to ensure pseudonymisation is effective must be carried out with reference to the particular domain and should take into account wider reidentification risks from information available in the public domain.
Critically, the EDPB is clear that where pseudonymised data is shared with a third party it is still personal data if someone else, including the original controller, has the ability to reidentify it, so the GDPR’s rules still apply. This has historically been an area of distinction between the UK and EU, with the ICO more likely to conclude that information can be personal data in one person’s hands but anonymous in the hands of another. Further guidance is expected this year from both the ICO and EDPB on anonymisation, but at this stage the EDPB’s position doesn’t look to be changing.
The EDPB confirms that pseudonymisation is not mandatory but is one measure controllers can employ to meet their GDPR obligations. The guidance therefore details why organisations should choose to use pseudonymisation to aid compliance with the obligations around data minimisation; legal basis (e.g. by reducing the risks to data subjects as weighed in legitimate interests assessments); security (including by reducing the impact on data subjects of a breach); and accuracy. The consultation closes on 28 February 2025.
Privacy Enhancing Technologies Cost-Benefit Awareness Tool
Like pseudonymisation, PETs have been highlighted by data protection regulators as a way organisations can bolster their data protection compliance. In particular, use of these technologies has been promoted as a way to enable organisations to maximise use of their data for innovation and growth, while protecting individuals’ personal data. Despite the potential advantages, the ICO and UK Government have identified slow adoption due to a lack of maturity of these tools and a lack of expertise to implement and utilise them effectively. To address this, the ICO and DSIT have collaborated to develop a tool to support organisations evaluate the costs and benefits of adopting PETs (PETs Tool).
Rather than looking at ‘traditional’ forms of PETs, such as encryption or tokenisation, the PETs Tool focuses on more novel, emerging PETs, such as homomorphic encryption, which allows computation on encrypted data by a third party, producing a result which can then be decrypted by the controller and federated analytics, which performs analysis across decentralised data sources and aggregates the results without sharing the raw data.
The PETs Tool is structured around a high-level use case, centring on federated analytics, and considers in particular the costs and benefits of this PET, including technical, data protection and legal considerations, in comparison with a baseline scenario involving a central database. It outlines how PETs can improve input privacy (the protection of the raw data during the processing, for example by preventing unauthorised access to original data); and output privacy (e.g. by protecting against privacy breaches once the data has been used to train models, such as ensuring that training data cannot be extracted).
Helpfully, the PETs Tool was accompanied by the publication of a repository of real-world use cases across a range of industries, including digital, finance, insurance, transport, health and social care, showing how PETs are being used successfully (e.g. on the use of PETs in tackling financial crime).
Outlook
While the adoption of neither pseudonymisation nor PETs is mandatory for data protection compliance, it is clear from these pieces of guidance that organisations looking to take full advantage of large data sets should be getting to grips with the evolving technical solutions for protecting personal data. The potential upsides are significant and regulators’ expectations in this area are only set to increase.
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-01-28-17-24-30-500-679912ce3b2f9e2cd2fc2829.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-01-24-11-41-05-755-67937c51312d8a93f10ce419.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-01-16-15-01-28-613-67891f48d45066607fa2145f.jpg)
/Passle/5badda5844de890788b571ce/MediaLibrary/Images/5cc2b50a989b6e0d381e1c2e/2019-08-05-15-19-03-009-5d4848e78cb62302888e96e4.jpg)