GDPR - Is anonymizing sufficient to address right to erasure?

Mark Meer

Trusted Information Resource
#1
Hypothetical situation:
You are collecting a bunch of customer account data, for example: name, address, items purchased, and dates of purchase.

Now a customer requests their data be erased.

Under GDPR (or any other privacy regulation), would it be sufficient to just anonymize their data (i.e. purge the name and address, but keep a history of purchased items), or do you have to necessarily purge everything related to the customer in response to such requests?
 
Elsmar Forum Sponsor

MrTetris

Involved In Discussions
#2
Once you delete name and address (and any reference that could link the order to the customer who placed it), the list or purchased items and addresses can be considered records from purchases dept. for your internal statistics, and not personal data anymore. So I would say that in this case you can keep a history of purchase items, but you need to pay attention that your anonymization is a real anonymization, and not just a pseudonymization. In other words, all personal data and links between orders and customers must be deleted.
 

Mark Meer

Trusted Information Resource
#3
...but you need to pay attention that your anonymization is a real anonymization, and not just a pseudonymization. In other words, all personal data and links between orders and customers must be deleted.
Can you elaborate (or link to a good source) on the distinction between real anonymization and pseudonymization?

In my hypothetical example, we'd clear the name and street-address fields, but keep all the other data. This would include country, state, and city information of the address (because we'd like to keep data on what was sold & where).
 

dsheaffe

Involved In Discussions
#4
Pseudomdonymisation is a method where you substitute identifiable data with reversible consistent data (eg, you update your records to change every 'John Smith' for 'Tom Jones'). With this method it is possible to reverse engineer the data back to the original information (if you know the substitution routine). To anonymise data, is to destroy identifiable data (eg, replacing 'John Smith' with different random characters for each instance). In your case if you are actually deleting the names and addresses, then it would be anonymised.
 
Thread starter Similar threads Forum Replies Date
Ed Panek GDPR in Urgent Healthcare Setting Other ISO and International Standards and European Regulations 1
C How medical device manufacturers are implementing standards like GDPR and HIPAA Other ISO and International Standards and European Regulations 5
D HIPAA and GDPR applies? Medical therapy device ISO 13485:2016 - Medical Device Quality Management Systems 0
MrTetris GDPR - Purposes and duration of data collection Other ISO and International Standards and European Regulations 8
MrTetris GDPR - General Data Protection Regulation - Only applicable to EU data? Other ISO and International Standards and European Regulations 6
Marc Privacy Policy - EU GDPR Compliance - 1 December 2018 Elsmar Cove Forum ToS and Forum Policies 0
L Implementation of ISO 27001 as part of the GDPR compliance journey Other Medical Device Related Standards 2
K GDPR - Is it really necessary for the DPO(s) to be knowledgeable to Data Privacy Law? IEC 27001 - Information Security Management Systems (ISMS) 3
F DPA 2018 & GDPR 2016 EU Medical Device Regulations 1
M GDPR - Data portability and Data Deletion EU Medical Device Regulations 6
Q GDPR consulting service for Medical device Company EU Medical Device Regulations 0
L GDPR scope - "Personal data" definition - General Data Protection Regulation EU Medical Device Regulations 5
S GDPR (General Data Protection Regulation) - My company is ISMS certified IEC 27001 - Information Security Management Systems (ISMS) 3
Marc GDPR - EU Directive 2016/679 and the Elsmar Cove Discussion Forum Elsmar Cove Forum ToS and Forum Policies 3
W EU GDPR General Data Protection Regulation - What we need to update for our QMS EU Medical Device Regulations 10
T GDPR impact on ISO 9001 and Quality ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
T GDPR - General Data Protection Regulation (EU and UK 2018) Other ISO and International Standards and European Regulations 7
M Informational How to perform a clinical evaluation of medical devices – Part 2 – Level of clinical evidence and what sufficient clinical evidence means Medical Device and FDA Regulations and Standards News 0
R Demonstrate how sufficient levels of access to data is achieved - Claims of equivalence EU Medical Device Regulations 3
CPhelan Do you require MDSAP for CE Marking of a Medical Device or is ISO13485:2016 with clinical data sufficient? CE Marking (Conformité Européene) / CB Scheme 5
M Is referenced content sufficient to meet record content requirements? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
R Is PFMEA (Process FMEA) for OEM sufficient to address Risk? ISO 13485:2016 - Medical Device Quality Management Systems 7
J Is it sufficient to send in my instruments for calibration every second year? Manufacturing and Related Processes 2
J Is MS Outlook a sufficient reminder to perform yearly supplier evaluations? Quality Manager and Management Related Issues 10
S Read Only & Password Protected - Sufficient to Control Documents under 4.2.3? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
GStough Is "Did Not Follow Procedures" Sufficient for RCA? Problem Solving, Root Cause Fault and Failure Analysis 30
C Is our method of Traceability sufficient? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
A Are RoHS compliance certs sufficient to qualify material? RoHS, REACH, ELV, IMDS and Restricted Substances 6
R ISO 17025 sufficient enough to drop ISO 10005 Quality Plan? ISO 17025 related Discussions 1
T Does FDA consider Flow Charts sufficient instruction for SOPs? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
W Is an Oven I/O/Q Validation Required or is Calibration Sufficient? Qualification and Validation (including 21 CFR Part 11) 7
P Rework Notification - Is it sufficient to show how we control rework process Manufacturing and Related Processes 1
D ISO 2859 - Probability that sample size is sufficient Inspection, Prints (Drawings), Testing, Sampling and Related Topics 2
N Preparation time for the 'spring' RAC Exam - sufficient time? Professional Certifications and Degrees 1
J Determining sufficient data points to commence sampling for in-process inspections Inspection, Prints (Drawings), Testing, Sampling and Related Topics 3
N Sufficient measurement of length - 4:1 TUR - Basic 25ft tape measures Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
K Recall or advisory notice sufficient for software ISO 13485:2016 - Medical Device Quality Management Systems 9
J Coming up with initial policies sufficient to get everyone headed on the right track ISO 13485:2016 - Medical Device Quality Management Systems 3
D Would Design & Process FMEA (PCBA) be sufficient to fulfill requirement of Cl 7.1? ISO 13485:2016 - Medical Device Quality Management Systems 2
Z Design and Development Planning - Is It Sufficient and Practical or Not Design and Development of Products and Processes 0
Z 'Duty to Declare' substance - Is submission of IMDS sufficient? RoHS, REACH, ELV, IMDS and Restricted Substances 2
I Controlled Documents - Would storing documents as PDFs be sufficient for control? Document Control Systems, Procedures, Forms and Templates 12
R Corrective actions which are not sufficient or are rejected for minor nonconformances ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 12
R Process Auditing - Identifying/Monitoring "Key" Processes Sufficient? Process Audits and Layered Process Audits 5
D Are measuring equipment manufacturer calibration certificates (certs) sufficient? QS-9000 - American Automotive Manufacturers Standard 6
A MSA - Measurement System Analysis: Is compliance to 2nd edition sufficient? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 5
D Customer Supplied Product - Is a list of all customer supplied product sufficient? Document Control Systems, Procedures, Forms and Templates 2
Marc Brute Force Validation - Difficult to show 10-year calibration cycle is sufficient General Measurement Device and Calibration Topics 0
Similar threads
















































Top Bottom