The GDPR is a European Union privacy statute that effects businesses worldwide, not just businesses in Europe. If your database contains one record on an EU citizen, you’re subject to GDPR. Article 83 says that violations are subject to fines of 20,000,000 EUR or 4% of revenue, whichever is higher.
If you want to use personal data for any purpose other than what it was collected for, and you do not have the consent of each individual, the data must be de-identified, or in the language of the GDPR, pseudonymised.
Article 6 says that
Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent … the [data] controller shall … take into account … the existence of appropriate safeguards, which may include encryption or pseudonymisation.
Pseudonymisation is defined in Article 4 as
the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
The concept of pseudonymisation in European law is analogous to de-identification in US law.
If you would like help determining to apply pseudonymisation effectively while retaining the usefulness of your data, please call or email to set up a time to discuss your data.
Trusted consultants to some of the world’s leading companies