50 Best Practices for Pseudonymisation

 

 

Does your pseudonymisation technology satisfy these 50 Best Practices? Check out the following Best Practices and compare the technology you are using against state-of-the-art techniques for reducing the risk of unauthorized re-identification. These 50 Best Practices were independently developed by Anonos using content contained in ENISA reports. They do not constitute technical or legal recommendations of ENISA.

Anonos derived Best Practices from ENISA report: Recommendations on Shaping Technology According to GDPR Provisions - An Overview on Data Pseudonymisation https://www.enisa.europa.eu/publications/recommendations-on-shaping-technology-according-to-gdpr-provisions	Derived from Section	Anonos Data Embassy	Vendor B	Vendor C	Vendor D
Personal identifiers replaced with pseudonyms	2.1.1
Pseudonyms do not allow the direct derivation of personal identifiers	2.1.1
Personal data can no longer be attributed to a specific data subject without the use of additional information	2.1.2
Reversal of Pseudonymisation is non-trivial in absence of additional information	2.1.2
Additional information kept separately using technical and organizational controls to limit access	2.1.2
Pseudonyms applied to direct and indirect identifiers	2.1.2, 2.1.3
Resistance against re-identification via singling out	2.1.2, 2.1.3
Resistance against re-identification via linkage attacks	2.1.2, 2.1.3
Resistance against re-identification via inference attacks	2.1.3, 2.2
Anonymisation techniques used to further reduce the possibility of third parties inferring identity	2.2
Single input results in a decoupled pair of outputs: pseudonymous data and additional information necessary to reidentify	2.3
Identify of data subjects hidden in the context of a specific data processing operation	2.3
Any recipient or third-party having access to pseudonymised data cannot trivially derive the original data set and identity of data subjects	2.3
Support for unlinkability across different data processing domains	2.3
Support for accuracy by retaining access to both pseudonymised output and additional information necessary to reidentify	2.3
Does not use Hashing without key or salt to generate pseudonyms	3.2
Offers keyed hash function (HMAC, SHA2/3, 256+ bit keys) to generate pseudonyms	3.3
Offers tokens (randomly generated values) as pseudonyms	3.4
Anonos derived Best Practices from ENISA report: Pseudonymisation Techniques and Best Practices https://www.enisa.europa.eu/publications/pseudonymisation-techniques-and-best-practices	Derived from Section	Anonos Data Embassy	Vendor B	Vendor C	Vendor D
Enables a Risk-Based Approach accounting for required protection and utility/scalability	Exec Summary
Advances the State of the Art	Exec Summary
Complies with GDPR Definition of Pseudonymisation	2
Utilizes one or more Pseudonymisation Functions	2
Utilizes a Pseudonymisation Secret	2
Has a Recovery Function for Pseudonymisation Functions	2
Uses a Pseudonymisation Mapping Table	2
Attack Resistance	4.3
Pseudonymisation Secret Discovery Attack Resistant	4.3.1
Re-Identification (Linkage) Attack Resistant	4.3.2
Discrimination (Inference) Attack Resistant	4.3.3
Brute Force Attack Resistant	4.4.1
Dictionary Search Resistant	4.4.2
Utility and Data Protection Maximization	4.5
Pseudonymisation Techniques	5.1
Does not make use of Counters	5.1.1
Uses Cryptographic Random Number Generator	5.1.2
Does not use Cryptographic Hash Function with or without salts, peppers	5.1.3
Uses MAC - keyed hash (HMAC)	5.1.4
Pseudonymisation Policies	5.2
Supports Deterministic Pseudonymisation	5.2.1
Supports Fully Randomized - RDDIDs - both row and field level	5.2.3
Offers Recovery Function (Reversal of Pseudonymisation)	5.4
Protects Pseudonymisation Secret	5.5
Advanced Pseudonymisation Techniques	5.6
Controlled Pseudonym Linkability	5.6
K-Anonymity	5.6
Aggregation/Generalization/Binning	5.6
Rounding	5.6
Masking	5.6
Prefix/Suffix-Preserving Pseudonymisation	6.2.1
Format Preserving Pseudonymisation	7.4