Presentation is loading. Please wait.

Presentation is loading. Please wait.

Viewing the GDPR Through a De-Identification Lens

Published byElvin George Modified over 5 years ago

Similar presentations

Presentation on theme: "Viewing the GDPR Through a De-Identification Lens"— Presentation transcript:

1 Viewing the GDPR Through a De-Identification Lens
Mike Hintze Partner, Hintze Law PLLC Adjunct Professor, University of Washington School of Law

2 De-Identification Under the GDPR
The GDPR provides the basis to recognize a more comprehensive spectrum of de-identification Identified vs. Identifiable in the definition of “personal data” Pseudonymous data as a particular type of “Identifiable” data Article 11 strong de-identification: “not in a position to identify the data subject” Anonymous data: GDPR requirements don’t apply Identified Identifiable Article 11 De-Identified Anonymous / Aggregate Directly linked to identifying data Yes No Known, systematic way to (re)identify Relates to a specific person Article 4(5) ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; Article 11(2). the controller is able to demonstrate that it is not in a position to identify the data subject. Recital 26. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

3 GDPR Obligations Through De-ID Lens
Consent or Legitimate Interests Notice to Data Subjects Data Retention Limitations Appropriate Data Security Access, Erasure, Controls Identified Consent of Data Subject Legitimate Interests Prominent Notice Discoverable Notice Shorter Retention Longer Retention Stronger Protections Some Protections Required Identifiable Article 11 De-Identified No Requirement Anonymous / Aggregated No Requirements Legitimate interests: Article 6(1)(f) involves a balance between the legitimate interests of the controller, and the fundamental rights and freedoms of the data subjects. It’s clear that the stronger the de-identification, the lower the risk to the data subject’s fundamental rights and freedoms. a Plus, Article 6(4) supports the idea that de-identification can be used to help justify a basis for lawful processing other than consent. “Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia (e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.” Data retention: Article 5(e) of the GDPR establishes the general rule that personal data may be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” Data Security: Article 32 of the GDPR requires organizations to implement security measures sufficient “to ensure a level of security appropriate to the risk.” Article 12(2) states that Article 11 De-Identified data (the controller is able to demonstrate that it is not in a position to identify the data subject), certain Article do not apply – including right of access, rectification, erasure, and data portability.

4 De-Identification’s Role in GDPR Guidance
GDPR guidance that recognizes a full range of de-identification can: provide greater clarity in areas of the GDPR that remain opaque; enable organizations to adopt pragmatic compliance tools and strategies; increase incentives for companies to adopt the strongest de-identification that is compatible with the purposes of the data processing (thus achieving an optimal balance between data protection and data utility); and advance the objectives of the GDPR by enhancing the protection of individuals’ personal data.    Identified Identifiable Article 11 De-Identified Anonymous / Aggregate

5 Questions? @mhintze Hintze Law Privacy + Security

Download ppt "Viewing the GDPR Through a De-Identification Lens"

Similar presentations

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Convention for the protection of individual with regard to automatic processing of personal data “The purpose of this convention is to secure in the territory.

Convention for the protection of individual with regard to automatic processing of personal data “The purpose of this convention is to secure in the territory.
The European Data Protection Regulation and research Graham Love Chief Executive Health Research Board 1.

The European Data Protection Regulation and research Graham Love Chief Executive Health Research Board 1.
Data Protection Principles as Basic Foundation for Data Protection in EU/EEA Introduction to Data Protection Theory Seminar - AFIN 31. 01. 2007 Stephen.

Data Protection Principles as Basic Foundation for Data Protection in EU/EEA Introduction to Data Protection Theory Seminar - AFIN Stephen.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Brussels Privacy Symposium on Identifiability

Brussels Privacy Symposium on Identifiability
Key changes with the GDPR

Key changes with the GDPR
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
Brussels Privacy Symposium on Identifiability

Brussels Privacy Symposium on Identifiability
Processing for archiving purposes in the GDPR

Processing for archiving purposes in the GDPR
Seamus Carroll Civil Law Reform Division

Seamus Carroll Civil Law Reform Division
GDPR (General Data Protection Regulation)

GDPR (General Data Protection Regulation)
Luca De Matteis Justice counsellor (criminal law, data protection)

Luca De Matteis Justice counsellor (criminal law, data protection)
Issues of personal data protection in scientific research

Issues of personal data protection in scientific research
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)
Amandine Jambert - IT Experts Department

Amandine Jambert - IT Experts Department
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E

GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E
General Data Protection Regulation

General Data Protection Regulation

Similar presentations

Ads by Google