?> Understanding the role of anonymization and pseudonymization in GDPR compliance | Snowplow
Snowplow ‘Outperforms’ GA4 in GigaOm Comparative Evaluation.
Read More
Platform
Products Behavioral data platform
Behavioral Data Platform Create behavioral data at enterprise scale
Open Source
Open Source Start creating data with our developer-first engine
Pricing
Pricing Learn about Snowplow's tiers and deployment options
Explore What is Data Creation
What is Data Creation? Create fit-for-purpose data to unlock new value at scale
What is data behavioral data
What is Behavioral Data? Discover the richest possible fuel for AI and analytics
Integrations catalog
Integrations Catalog Explore all Snowplow sources & destinations
Example Data Sample Snowplow Data
Sample Snowplow Data Explore Snowplow’s unified event stream in detail
Sample Modeled Data
Sample Modeled Data See an example of out-of-the-box modeled data
Read More
Solutions
Data Solutions Advanced Analytics
Advanced Analytics Build customized analytics apps
AI / ML
AI / ML Train models with AI-ready data
Composable CDP
Composable CDP Power personalized experiences
Use Cases Accelerators
Accelerators Create data products faster
All Use Cases
All Use Cases Explore our library of use cases
Industries
Industries Find use cases by industry
Partners Partner Ecosystem
Partner Ecosystem Find a partner to meet your needs
Technology Partners
Technology Partners View integration partners
Solution Partners
Solutions Partners Connect with a Snowplow expert
Read More
Customers
Industries Media & Entertainment
Media & Entertainment
Retail
Retail
SaaS
SaaS
Travel
Travel
Edtech
Edtech
Fintech
Fintech
Channels Web
Web
Mobile
Mobile
Server-side
Server-side
Email
Email
Advertising
Advertising
Business Models Marketplaces
Marketplaces
Subscription
Subscription
Aggregators
Aggregators
Ecommerce
Ecommerce
Customer Stories Strava
Strava
Autotrader
Autotrader
Bizzabo
Bizzabo
Gousto
Gousto
Sophi and Globe and Mail
Sophi and Globe and Mail
All Customer stories
All Customer stories
Resources
Learn More Blog
Blog
Knowledge base
Knowledge Base
Events
Events
Meetup
Meetup
Get Started Documentation
Documentation
Github
GitHub
Discourse
Discourse
Find a partner
Find a Partner
101 Guide to Marketing Attribution Read More
Company
About Snowplow

Snowplow is the world’s leading data creation platform. We empower any company to create their own AI-ready behavioral data to fuel advanced data applications.

  About us
About Us
Careers
Careers
Contact Us
Contact Us
Newsroom
Newsroom
Inside the Plow: The latest insights from the Snowplow team Explore the blog
Platform
Products Behavioral data platform
Behavioral Data Platform
Open Source
Open Source
Pricing
Pricing
Explore What is Data Creation
What is Data Creation?
What is data behavioral data
What is Behavioral Data?
Integrations catalog
Integrations Catalog
Example Data Sample Snowplow Data
Sample Snowplow Data
Sample Modeled Data
Sample Modeled Data
Solutions
Data Solutions Advanced Analytics
Advanced Analytics
AI / ML
AI / ML
Composable CDP
Composable CDP
Use Cases Accelerators
Accelerators
All Use Cases
All Use Cases
Industries
Industries
Partners Partner Ecosystem
Partner Ecosystem
Technology Partners
Technology Partners
Solution Partners
Solutions Partners
Customers
Industries Media & Entertainment
Media & Entertainment
Retail
Retail
SaaS
SaaS
Travel
Travel
Edtech
Edtech
Fintech
Fintech
Channels Web
Web
Mobile
Mobile
Server-side
Server-side
Email
Email
Advertising
Advertising
Business Models Marketplaces
Marketplaces
Subscription
Subscription
Aggregators
Aggregators
Ecommerce
Ecommerce
Customer Stories Strava
Strava
Autotrader
Autotrader
Bizzabo
Bizzabo
Gousto
Gousto
Sophi and Globe and Mail
Sophi and Globe and Mail
All Customer stories
All Customer stories
Resources
Learn More Blog
Blog
Knowledge base
Knowledge Base
Events
Events
Meetup
Meetup
Get Started Documentation
Documentation
Github
GitHub
Discourse
Discourse
Find a partner
Find a Partner
Company
About Snowplow

Snowplow is the world’s leading data creation platform. We empower any company to create their own AI-ready behavioral data to fuel advanced data applications.

  About us
About Us
Careers
Careers
Contact Us
Contact Us
Newsroom
Newsroom
  1. Home
  2. Blog
  3. Data Governance
Data compliance, Data governance

Understanding the role of anonymization and pseudonymization in GDPR compliance

Avatar
2 March 2018 ·
Jump to

If you visit the European Union homepage for GDPR, one of the first things you’ll notice is a timer (assuming you read this before enforcement begins). Clearly displayed down to the second, at any given time you can check to see how much time you have left. Considering all of the complexities that come with compliance, problems that must be solved at the technological, procedural, and governance levels, there are many of us who will need to use as much of the remaining days and hours as possible to prepare our organizations for this new set of data protection regulations.

GDPR homepage

GDPR Recap

The General Data Protection Regulation gives new rights to data subjects, the individual users about whom data describes (a list can be found in this post). These new rights are meant to shift control over how personal data is used into the hands of the individuals, meaning data controllers, like Snowplow users who collect personal data, are facing new obligations for how their data must be handled from end to end. Because these regulations are onerous, companies need to challenge themselves whenever they’re collecting personal data to be clear on why they’re doing it. In situations where the same impact can be achieved with data that is not personal, for instance, these obligations do not apply.

However, GDPR massively expands the scope of what constitutes personal data. To quote the Information Commissioner’s Office, “GDPR applies to ‘personal data’ meaning any information related to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data including name, identification number, location data, or online identifier, reflecting changes in technology and the way organisations collect information about people.” While this clearly categorizes IP addresses, cookie IDs, and other device identifiers like IDFVs and IDFAs constitute personal data, the deliberately vague nature of the definition presents a moving target for companies as more data is collected on individual users and additional legal precedent is set.

data subjects

Why anonymization matters in a GDPR world

“Anonymization” is a technique for taking personal data and rendering it non-personal by making it impossible for a user with the data to identify which individual the data describes. With digital data, we can distinguish two distinct uses:

  1. We use data to build insight in an attempt to better understand how users are engaging with our products and websites. This insight can be used to optimize marketing spend or support the product development process (as we explored in our product analytics guide).
  2. We use data to better understand individual users and better communicate with and engage those users to, hopefully, improve their experience

We can use anonymized data for (1) but not for (2). When we’re collecting data for the purpose of insight, it doesn’t matter who the individuals are, just what they do. This means that we can still collect and use digital data to do things like optimize marketing campaigns and support product development without collecting personal identifiable information (PII) and incurring the obligations associated with doing so.

Anonymization and Pseudonymization

When data is fully anonymized, the link between the data and the personal identifiers is completely severed: all data collected is decoupled from any sort of personal information. Pseudonymized data, conversely, retains a slight tether between the data and the PII, meaning the data is, on the surface, anonymous but when it comes time, special measures can be taken to restore the connection, allowing a company to act. In practice, fully anonymizing data is very difficult. Even if we anonymize a data subject’s name, knowing other pieces of information about the subject, such as date of birth or location, can allow us to narrow down the potential identity of an “anonymous” user or even pinpoint the specific individual if the data set is small enough.

Though pseudonymized data seems to present the opportunity to retain as much user data as possible while circumventing the obligations GDPR requires, the regulation explicitly states that pseudonymized data can fall within its scope, depending on how difficult it is to attribute the pseudonym to a particular individual. Pseudonymized data remains very valuable from a GDPR perspective, however. If, for example, a company collects digital data to support product development but does not engage in targeted marketing, a marketer cannot accidentally use the data to target an individual user. In light of what companies must do in order to demonstrate compliance, making sure only authorized activities are carried out is a powerful control.

authorized users only

GDPR tools and the Snowplow pipeline

Because of the high value of anonymization as a tool for data controllers to help them comply with GDPR, we recently released R100, Epidaurus which builds this functionality into our data processing pipeline. Snowplow is a data collection platform, used by companies to collect data across multiple platforms and channels. On each platform, we expect there to be at least one user-level or device-level identifier to enable analysts to stitch together user journeys on those channels, and then join them together to create a single-customer view, an essential element in many types of analysis.

By enabling data controllers to pseudonymize all of those identifiers while retaining the ability for data consumers to understand an individual’s complete user journey across platforms and channels (simply removing the fact of who went through the journey), Snowplow users are better able to use data to power insight and better respect the rights of data subjects whose journey that data describes.

Data consumers have to take as many measures as possible to ensure their use of their data is lawful and that everyone within the organization complies as well. Epidaurus, along with the update of our JavaScript tracker, are the first of many layers of protection we’re building to both make it easier to comply with GDPR as well as make it more difficult to break regulation.

More about
the author

Avatar
Snowplow Team
View author

Related articles

Snowplow Objective-C Tracker 0.5.0 released

Joshua Beemster
Joshua Beemster 3 September 2015

Joshua Beemster is a Snowplower!

Alex Dean
Alex Dean 19 February 2015

Introducing a new generation of our web data model

Cara Baestlein
Cara Baestlein 13 November 2020

Ready to start creating rich, first-party data?

Try Snowplow Schedule a Demo
Image of the Snowplow app UI