Standards of data anonymisation in UK & EU
The contents of this article do not constitute legal advice, they are our interpretation and are provided for general information purposes only
What is data anonymisation?
Anonymisation is the process of removing all personal identifiers such as name, e-mail address, postcode etc such that data subjects are no longer identifiable in any way. Data that has been reasonably anonymised, where individuals are no longer directly or indirectly identifiable does not fall within the scope of GDPR and hence can be easily optimised into applications, analytics and AI models amongst others. At TEXpert Ai, we are working on best practices and process designs that enhance privacy and governance through anonymisation to ensure GDPR compliance for our stakeholders and ourselves. A large part of our activities consists of collecting, storing, processing, and analysing anonymous demographics and other diversity data on behalf of our stakeholders. Since our main target market is UK & EU, we have assessed the data anonymisation standards within these GDPR landscapes.
Christopher Weichert on standards of data anonymisation under GDPR
Are the standards of anonymisation the same under UK & EU GDPR?
The EU GDPR and UK GDPR are largely identical, including the conditions to classify data as anonymised. Although the conditions are similar, there is a suggestion that the UK’s Information Commissioner’s Office (“ICO”) is slightly less stringent when assessing anonymisation than certain EU counterparts and that the standard for anonymisation in the UK could diverge from the EU in the future. The EU GDPR is saved into UK law through section 3 of the European Union (Withdrawal) Act 2018. The text of the EU GDPR and UK GDPR is the same, except for provisions that no longer apply in the UK’s domestic legal system, such as the EU Charter of Fundamental Rights. As a result of being transposed from EU law, the ICO frequently refers to the EU GDPR when giving guidance on the UK GDPR. When defining anonymisation, the ICO explicitly refers to Recital 26 of the EU GDPR.[1] Recital 26 is, in fact, UK law in accordance with the European Union (Withdrawal) Act 2018. Even though both UK & EU GDPR use the same standard, the International Institute of Privacy Professionals has stated that the ICO is slightly more lenient when permitting anonymisation based on historical reasons. It stated in a July 2021 article that the UK views a residual risk of reidentification as acceptable as long as the right precautions are in place.[2] This article, as well as other publications from the IAPP, are helpful for organisations faced with GDPR compliance.
The test for anonymisation is the same across the EU GDPR and UK GDPR: anonymisation depends on whether it is “reasonably likely” an individual can be identified from the information.
Will the UK’s Information Commissioner’s Office diverge from the GDPR approach?
In May 2021, the ICO issued draft guidance on anonymisation.[1] The draft guidance is significant because it was the ICO’s first publication on anonymisation under the UK GDPR. As expected, the draft guidance followed the language of the EU GDPR with respect to anonymisation, which is the Recital 26 “reasonably likely” test. The ICO left the door open for divergence from the EU GDPR with respect to anonymisation, however, it stated that it “will discuss the concepts of ‘identifiability’ and the ‘reasonably likely’ test in more detail in future sections of this guidance.”[2] The ICO continues to call for views for its guidance on anonymisation, which can be submitted until 16 September 2022.
[3]For practical purposes, the conditions for satisfying anonymisation standards across the EU GDPR and the UK GDPR are the same. The same conditions must be met whether the “reasonably likely” standard is used or a slightly more forgiving standard. Currently, there are no significant differences in anonymisation between the EU GDPR and UK GDPR that warrants treating data differently. The difference will be the ICO’s stance on assessing anonymisation moving forward, which will be answered when the ICO publishes its updated guidance on anonymisation.
1] Introduction to anonymization. ICO. (n.d.). Retrieved February 11, 2022, from https://ico.org.uk/media/about-the-ico/consultations/2619862/anonymisation-intro-and-first-chapter.pdf [2] Fn. 3, p. 9. [3] ICO call for views: Anonymisation, pseudonymisation and privacy-enhancing technologies guidance. ICO. (n.d.). Retrieved February 11, 2022, from https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/ico-call-for-views-anonymisation-pseudonymisation-and-privacy-enhancing-technologies-guidance/