At EisphorIA, we have developed a product – CleanMyDoc – that supports very efficiently the pseudonymisation process with a high accuracy rate and security level. It can be particularly helpful in due diligence processes or other similar situations.
Now, pseudonymisation is also a regulatory concern
If pseudonymisation (or, but not treated here, anonymisation) has always been top of mind for confidentiality purposes, its importance has significantly increased with the emergence/reinforcement of the regulatory landscape on privacy. As we all know, failure in the pseudonymisation process now leads to compliance breaches, which can severely impact an organization both from a financial and reputation point of view.
This explains, as raised by ENISA in its November 2019 Pseudonymisation techniques and best practices Paper, that “in the light of GDPR, the challenge of proper application of pseudonymisation to personal data is gradually becoming a highly debated topic in many different communities”.
Pseudonymisation process should hence be carefully undertaken, satisfying a 3-levels requirements: (1) degree of robustness/accuracy necessary for answering adequately to privacy, (2) degree of utility necessary for processing and understanding the data and (3) degree of security necessary for limiting risks of re-identification. Such a process may obviously differ from a context to another (the specific importance spectrum of each requirement listed above varies in function of circumstances).
Technology as a true helper
Without surprise, adequate technology – i.e. solutions that efficiently responds to the 3-levels requirements of accuracy, utility and security – is a true helper here.
Indeed, it is hardly imaginable that pseudonymisation is still undertaken manually, not solely because of the massive amount of documents to be processed but also because of the high risk of errors such manual review would incur. In other words, in addition to time and energy costs, a manual pseudonymisation does not give sufficient guarantees as regards to the 3-levels requirements.
Technology is hence an essential relay. And the good news is that the algorithms developed are more and more powerful in terms of accuracy, usability and security. State-of-the art algorithms imply (1) an automated recognition of name, location, register numbers, organizations, emails, IP addresses, etc…, (2) coherence in the pseudonymisation processing both in specific document and in the whole data set and (3) capacity of adaptation as regards to clients’ preferred pseudonymisation approaches and policies.
To quote the ENISA Paper, the new-gen algorithms respond adequately to the recommendation that the implementation of pseudonymisation process follows “a risk-based approach, taking into account the purpose and overall context of the personal data processing, as well as the utility and scalability levels they wish to achieve”.