GDPR Data and Encryption VS Pseudonymization VS Tokenization

Updated: Apr 13, 2020

The European Union has shown an iron fist when it comes to security ‘by design and by default’ under GDPR. With that in mind, businesses have the liberty to do as they when it comes to protecting data so long as they have strong and durable security to the personal data.

This is because it will be expected for companies to go by with what works best when it comes to doing the job. One good example of this is how businesses use pseudonymization and encryption as these are known to provide the best and strongest levels of protection.

Encryption, as per se, is a solution in data security which is commonly used. It blocks and prevents any prohibited access which creates a layer of protection against potential harmful threats and breaches. This method is very convenient especially when it comes to complying with the regulation as this will serve as the company’s safeguard when they process personal data on a daily basis.

Companies should use encryption along with other safety measures to ensure a highly durable wall from cybercriminals. There are instances that call for encryption and it is the job of the data controllers to analyze which data needs to be encrypted. Encrypting every email is not really necessary but when it contains information like sensitive personal data, encryption should most definitely be considered.

Using encryption will help mitigate the risks that come along with the processing of personal data since it will not be possible to view without obtaining the right key first. In addition, encryption will be very helpful should a data breach occur. GDPR demands companies to disclose breaches within the 72-hour time period to the higher authorities and the affected individuals. If the business could provide concrete evidence that their data is encrypted and that it will be nearly impossible to trace individuals from the stolen data, then they don’t have to worry about the deadline of the breach disclosure.

The definition of pseudonym under the regulation is a way of processing data where it can no longer be traceable to a specific person. This information which could help distinguish an individual should be kept separately and this data should not be able to point out to a natural person.

Pseudonymization doesn’t really provide complete animosity nor does it give a direct link to a specific person. All thanks to this, your risks of a breach will be alleviated to say the least. One popular pseudonymization tool is ‘harsh functions’ which is used to trace data regardless of its size to codes of a specific size.

Another way to go is through tokenization. This is the replacement of a sensitive data, before processing is done, into a randomly generated token. Data will then be stored and can only be controlled and accessed by the company that uses the data. Some would argue that tokenization can be better/worse than encryption as it often has no algorithms which can help create a link to the original data. Encryption works best for files and unstructured data while tokenization is better for structured data within databases.