While we’re on the topic of whether you need to hire a Data Protection Officer to comply with the GDPR, it’s worth mentioning that companies that rely upon cloud-based storage providers will not be exempt from the GDPR.
If your company uses Amazon Web Services, Google Cloud, or Microsoft Azure, you will NOT be able to blame Amazon, Google, or Microsoft for failure to comply with the GDPR. In fact, you can’t blame anyone else.
Ignorance of the law is not a valid excuse for breaking it, and your business will be punished accordingly.
What counts as ‘pseudonymized data’ under the GDPR?
Pseudonymized data is “data rendered anonymous in such a way that the data subject is not or no longer identifiable.”
It’s the aggregate data you use to craft remarketing audiences in AdWords and Custom Audiences in Facebook.
Essentially, this means that all identifying information regarding an individual user must be removed entirely from all stored or processed data so that the identity of a specific user cannot be revealed — even to the company or authority responsible for anonymizing the data itself. Remember earlier when we went over the kinds of identifying information protected by the GDPR?Well, it doesn’t end with dates of birth, Social Security numbers, or financial information.
The GDPR also protects information such as a person’s…
- Religious, philosophical, or political beliefs
- Sexuality or sexual orientation
- Records of membership to organizations such as labor union
- Genetic or biometric data including fingerprints and DNA
Since this data is protected by the GDPR, the measures a company takes to pseudonymize its data must ensure these data points are also removed completely.
The primary reason that the GDPR uses the term “pseudonymized data” rather than “anonymized data” is largely one of pragmatism. It’s very difficult to completely remove all identifying information about a user. Truly anonymized data falls outside the jurisdiction of the GDPR, but given that it’s highly unlikely many data controllers would either be able or willing to truly and completely anonymize their users’ data, the
GDPR uses the definition of pseudonymous data instead.