GDPR Tokenization: Pseudonymization vs. Anonymization

The goal of the European Union’s General Data Protection Regulation (GDPR), which replaced the 1995 Data Protection Directive 95/46/EC on May 25, 2018, is to protect the personal data of all EU citizens and residents by setting standards for the collection, storage, sharing, transferring, processing, and management of various categories of personal data. It also addresses the export of personal data outside the EU. It is designed to standardize data privacy laws across the EU in order to “protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.” With the continued threat to individual privacy from cybercriminals and the widespread data collection by organizations and governments, the GDPR is one of the most important privacy regulations passed in recent times and its impact will be felt worldwide.

The GDPR protects personal data, which is defined as any information related to an identified or identifiable natural person, or data subject. In other words, this is information that can be used to directly or indirectly identify an individual. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Although EU countries are the primary focus, the GDPR also applies to any organization that offers goods or services in those countries, oversees the behavior of EU data subjects, or manages, stores, processes, or monitors the personal information of any EU residents.

Penalties for Noncompliance

GDPR goes into effect May 2018. Any organization who is found to be not in compliance is subject to a fine of up to 4% of annual global revenue, capped at €20 Million. These are the maximum fines that will be imposed for the most severe violations. GDPR has also established a tiered system in which organizations can be fined 2% of annual global revenue if their records are found inadequate under GDPR guidelines; failure to notify governing authorities and affected individuals of a data breach; or other failures to perform measures designed to lead to compliance. For purposes of the imposition of fines, the GDPR makes no distinction between controllers and processors. “Cloud Service Providers” are not exempt.

Definition of Controllers and Processors

A data controller is any organization that collects personal data from EU residents. A processor is any organization that processes personal data on behalf of a data controller. Processors include cloud service providers which “process” data collected on any data subject (person) residing in the EU. “Processing” is very broadly defined and includes almost any data manipulation function, such as transmission and storage.

Key Requirements of GDPR

  • Consent of data subjects for data processing is not mandatory but is encouraged
  • De-identifying (through anonymizing or pseudonymization) collected data to protect privacy
  • Informing individuals and regulatory bodies of a data breach
  • Safely and securely handling the transfer of data across borders
  • Certain organizations will need to appoint a Data Protection Officer to oversee compliance

Governing Bodies

The European Commission is the executive body that represents the interests of the 28  EU commissioners. The commission utilizes a collective decision-making process to propose legislation, enforce European law by utilizing the help of the Court of Justice, represent the EU internationally, set objectives, and manage policies and budget. The Council of the Ministers of the European Union represents the government of each member state. It shares the power of adoption for legislation and the budget with Parliament and coordinates policy for individual member states, as well as foreign and security policy. Based on proposals from the Commission, the Council is the authoritative body to conclude and sign off on international agreements.

How TokenEx Assists in Achieving GDPR Compliance

TokenEx’s tokenization solutions are well-recognized and accepted forms of pseudonymization, which makes GDPR compliance more certain, less costly, and much easier to accomplish. Tokenization is an advanced form of pseudonymization, as referenced in the GDPR. It is the process TokenEx has used for over a decade to protect the private data of clients worldwide, without a single breach or exposure. As a well-recognized and accepted form of pseudonymization, tokenization can be used to satisfy many of the compliance requirements of the GDPR.

Anonymization vs. Deanonymization

As referenced in the previous paragraph, one method for compliance is desensitizing the data in question, removing it from the scope of GDPR altogether. In order to desensitize or de-identify information, companies commonly choose to employ anonymization or pseudonymization. The GDPR explicitly states the data-protection principles of the law do not apply to anonymous information—“information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.”

However, fully anonymizing a data set is a difficult task, and once it’s done, the anonymous data isn’t designed to be returnable to its original, identifiable form—rendering it useless for almost anything but very high-level data aggregation and analysis. Because the data’s business utility likely was the reason your organization was processing it in the first place, this isn’t a terribly attractive solution.


Although it is not impossible to deanonymize anonymized data, it does require extensive data-mining efforts in order to return enough information to make cross-referencing feasible—which defeats the purpose of anonymizing data to begin with. An alternative that “cleanses” sensitive data while still maintaining its valuable business-intelligence purposes is pseudonymization. Pseudonymization is defined in Article 4(5) of the GDPR as:

“The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”

In other words, pseudonymization is the process of replacing identifying or sensitive data with a pseudonym. TokenEx’s Cloud Security Platform does just that via tokenization—the process of replacing sensitive data with a nonsensitive token. TokenEx’s cloud tokenization successfully pseudonymizes data while outsourcing the risk and security concerns of internal data storage, and many of our existing customers already use this technology to comply with Payment Card Industry Data Security Standard requirements.

Pseudonymization may also enable processing of personal data beyond the purpose for which it was originally collected. The GDPR requires that personal data be collected only for “specific, explicit, and legitimate purposes,” although further processing may be permissible if it is compatible with the original purpose. Article 6(4) describes the factors that must be taken into account when determining if further processing is compatible, including “the existence of appropriate safeguards, which may include encryption or pseudonymization.”

TokenEx’s Cloud Security Platform can help your organization comply with the GDPR and maintain the business utility of your data by pseudonymizing sensitive information at the point where it enters your system. Our flexible technologies and methodologies make tokenizing, encrypting, and data vaulting work with any acceptance channel your organization uses. For more information, contact us at

Topic(s): compliance , pseudonymization , GDPR , privacy

Keep Up With Our PCI & Privacy Blog