'What's in a name?': EDPB publishes draft guidelines on pseudonymisation

On 16 January 2025, the European Data Protection Board (EDPB) adopted its Guidelines 01/2025 on Pseudonymisation.

Pseudonymisation requires that data that would allow information to be attributed to identified or identifiable individuals is held separately and securely; this can allow organisations to make use of pseudonymised data in a way that poses fewer risks to individuals. The guidelines set out the legal and technical requirements for pseudonymisation to be effective. 

Partners Ruth Boardman and Emma Drake outline some of the most important takeaways in a new article below which has featured in the International Association of Privacy Professionals' (IAPP) news section. 

Access the full article here. In addition to the IAPP article, you may find the EDPB’s summary of requirements on technical measures below useful for ease of reference.

Copy of summary of procedures for pseudonymisation

130. Controllers who intend to implement pseudonymisation should determine the objectives they intend to achieve with this measure in order to define the domain of the pseudonymisation and decide which sets of data are to be processed consistently, ... Then the controllers perform the following steps: 

131. At the time of the determination of the means for processing, they should analyse the data, and establish: 

• which attributes contained in the personal data that is to be pseudonymised can be used alone or in combination to identify the data subjects directly (identifiers); 
• which attributes should be used to determine (using cryptographic algorithms) or (using lookup a table) linked with the pseudonyms, applying the criteria set out in section 3.3.1;
• which method is to be used to replace those attributes with pseudonyms, and, in particular, 
• which parameters (like size of group or key length for the cryptographic algorithms employed) are to be applied in the course of the pseudonymising transformation; 
• which information is to be retained as additional information that can be used to attribute the pseudonymised data to a specific data subject; 
• whether and which attributes contained in the personal data can be used alone or in combination to attribute some of the data to data subjects, directly or indirectly, within the pseudonymisation domain, considering information that can be accessed with reasonable effort from within it;
• which method is to be used to modify or remove those attributes in order to guarantee that the personal data are not attributed to an identified or identifiable natural person without use of the additional information while retaining the ability to perform general analysis on the resulting pseudonymised data. Available methods are, among others, omission, generalisation, and randomisation; 
• which party or parties— controllers, processors, or specialised third parties entrusted with safeguarding the transformation—are to execute the pseudonymisation transformation (individually or jointly), and 
• who will store which pseudonymisation secrets or other additional information, and which technical and organisational measures will be applied to ensure that they cannot be used from within the pseudonymisation domain, that their integrity and confidentiality is maintained, and that they are only used to attribute pseudonymised data to data subjects when authorised. 

Importantly, after the pseudonymising transformation is defined, the controller also needs to assess the risk of attribution in the pseudonymisation domain, and ascertain that it is insignificant. 

132. When applying the pseudonymisation transformation, the controllers: 

• (optionally) establish which data records pertain to the same data subjects, and assign unique identifiers of the respective data subjects to those data records, 
• replace the chosen attributes that identify the data subjects and the unique identifier added before (if any was inserted) with pseudonyms by applying the method established previously, removes all other identifiers and stores separately from the pseudonymised data any pseudonymisation secrets generated in or derived from this process, 
• modify or remove the quasi-identifiers by applying the method defined for this end. 

133. All involved controllers apply the planned technical and organisational measures to additional information that they keep to attribute pseudonymised data to data subjects when a legitimate need for this arises, or that they otherwise retain and that might enable such an attribution. In particular, they restrict access to and use of the pseudonymisation secrets. 

134. All recipients apply appropriate technical and organisational measures to safeguard that pseudonymised data does not leave the pseudonymisation domain, and also ensure that no information known to allow attribution enters it. 

135. Finally, the controllers restrict the handling of the pseudonymised data to the extent this is necessary to mitigate any remaining risk of reversal of pseudonymisation.