Continuing on from last week’s piece regarding the General Data Protection Regulation being brought in next year, this week continues with a look at a recommended security measure suggested by the legislation: Pseudonymisation.
The heart of this law is protection of personal data, and the punitive measures that will be taken against any compromise of that data. Pseudonymisation, or data masking/obfuscation, is one of the suggestions the GDPR makes as a way of mitigating the risks of a breach. Even without encryption, there are ways of ameliorating the damage done by a breach through data pseudonymisation: separating personal identifiers from the personal data you hold, making it difficult for an identity to be derived without additional information. It is a procedure encouraged by the regulation to push “data protection by design”. This article breaks this concept down quite neatly, explaining the benefits of pseudonymisation as opposed to the challenges implementing it in the first place.
Where encryption and anonymisation are almost certainly the best way to secure your data and keep it safeguarded against breaches, these techniques can present issues of their own in implementation, especially when they are added later and not built into an organisation. Data masking is certainly worth considering, especially as some of the breach reporting articles don’t apply if the data is anonymised and the persons whose data is stored cannot be identified.