Press Release

Cybersecurity to the Rescue: Pseudonymisation for Personal Data Protection

ENISA’s new report explores pseudonymisation techniques and use cases for healthcare and information sharing in cybersecurity

Published on January 28, 2021

Today, on the occasion of Data Protection Day 2021, the European Union Agency for Cybersecurity (ENISA) released its report on pseudonymisation for personal data protection - Data Pseudonymisation: Advanced Techniques and Use Cases - providing a technical analysis of cybersecurity measures in personal data protection and privacy. This new work builds on the Agency’s past work on pseudonymisation techniques and best practices by exploring further, advanced pseudonymisation techniques and specific use cases in such areas as healthcare and information sharing in cybersecurity.  

While not a new process, pseudonymisation came into the spotlight in 2018 with the enforcement of the General Data Protection Regulation (GDPR), which references pseudonymisation as a security and data protection by design mechanism. Although the deployment and proper application of data pseudonymisation techniques have become highly debated, the overall context of the processing is considered as an important aspect for implementation. Therefore, pseudonymisation should be combined with a thorough security and data protection risk assessment.

EU Agency for Cybersecurity Executive Director Juhan Lepassaar said: “Cybersecurity techniques are an integral part to meet data protection obligations, and allow users to enjoy fully their fundamental rights to personal data protection and privacy.”

As there is no one-size-fits-all pseudonymisation technique, a high level of competence is needed to reduce threats and maintain efficiency in processing pseudonymised data across different scenarios. The ENISA report aims to support data controllers and processors in implementing pseudonymisation by providing possible techniques and use cases that could fit different scenarios.

The report underlines the need to take steps that include the following:

  • Each case of personal data processing needs to be analysed to determine the most suitable technical option in relation to pseudonymisation;
  • An in-depth look into the context of personal data processing before data pseudonymisation is applied;
  • Continuous analysis of state-of-the-art in the field of data pseudonymisation, as new research and business models break new ground;
  • Developing advanced pseudonymisation scenarios for more complex cases, for example when the risks of personal data processing are deemed to be high;
  • Further discussion on the broader adoption of data pseudonymisation at EU and Member States levels alike.


The European Union Agency for Cybersecurity has been working in the area of privacy and data protection since 2014, by analysing technical solutions for the implementation of the GDPR, privacy by design and security of personal data processing. Since 2018, the Agency has been providing guidance on data pseudonymisation solutions to data controllers and processors.

In January 2019, the EU Agency for Cybersecurity issued recommendations on shaping technology according to GDPR provisions, providing an overview on data pseudonymisation. In November 2019, the Agency published a more detailed report on pseudonymisation techniques and best practices and co-organised a workshop with the Data Protection Authority of the German Federal State of Schleswig-Holstein (ULD) on pseudonymisation and relevant security techniques. ENISA is now focusing its work on the practical application of data pseudonymisation techniques. 

Earlier today, on 28 January, the EU Agency for Cybersecurity led a panel, “Securing Personal Data: The ‘New’ Normal”, at the 14th international Computers, Privacy and Data Protection (CPDP) conference. ENISA Cybersecurity Expert Prokopios Drogkaris moderated the virtual panel discussion on how COVID-19 affected the existing considerations related to the security of personal data processing. Featured panellists included Rosa Barcelo, Squire Patton Boggs; Cédric Lauradoux, INRIA, Fabian Prasser, Charité – Universitätsmedizin Berlin; Peter Kraus, EDPB . More information is available here: CPDP Computers, Privacy and Data Protection conference (

Further Information

ENISA webpage on Data Protection

Recommendations on shaping technology according to GDPR provisions - An overview on data pseudonymisation report

Data Pseudonymisation: Advanced Techniques and Use Cases

Pseudonymisation techniques and best practices report

ULD - ENISA Workshop: Pseudonymisation and relevant security technologies

Call for Papers for the Annual Privacy Forum 2021 (17-18 June 2021):

Call for Papers | Annual Privacy Forum 2021


For questions related to the press and interviews, please contact press (at)


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies