The University of Southampton
University of Southampton Institutional Repository

Bridging policy, regulation and practice? A techno-legal analysis of three types of data in the GDPR

Bridging policy, regulation and practice? A techno-legal analysis of three types of data in the GDPR
Bridging policy, regulation and practice? A techno-legal analysis of three types of data in the GDPR
The paper aims to determine how the General Data Protection Regulation (GDPR) could be read in harmony with Article 29 Working Party’s Opinion on anonymisation techniques. To this end, based on an interdisciplinary methodology, a common terminology to capture the novel elements enshrined in the GDPR is built, and, a series of key concepts (i.e. sanitisation techniques, contextual controls, local linkability, global linkability, domain linkability) followed by a set of definitions for three types of data emerging from the GDPR are introduced. Importantly, two initial assumptions are made: 1) the notion of identifiability (i.e. being identified or identifiable) is used consistently across the GDPR (e.g. Article 4 and Recital 26); 2) the Opinion on Anonymisation Techniques is still good guidance as regards the classification of re-identification risks and the description of sanitisation techniques. It is suggested that even if these two premises seem to lead to an over-restrictive approach, this holds true as long as contextual controls are not combined with sanitisation techniques. Yet, contextual controls have been conceived as complementary to sanitisation techniques by the drafters of the GDPR. The paper concludes that the GDPR is compatible with a risk-based approach when contextual controls are combined with sanitisation techniques.
GDPR, Data Anonymisation, Risk Assessment
Hart
Hu, Runshan
18986f90-49c4-430e-8047-3bf6b2be61c3
Stalla-Bourdillon, Sophie
c189651b-9ed3-49f6-bf37-25a47c487164
Yang, Mu
9f619568-bfc7-44cf-b1b1-010e0b35eb68
Schiavo, Valeria
225f24de-a5ed-4cd1-a9d7-ac4d2cdfcfb4
Sassone, Vladimiro
df7d3c83-2aa0-4571-be94-9473b07b03e7
Leenes, Ronald
van Brakel, Rosamunde
Gutwirth, Serge
De Hert, Paul
Hu, Runshan
18986f90-49c4-430e-8047-3bf6b2be61c3
Stalla-Bourdillon, Sophie
c189651b-9ed3-49f6-bf37-25a47c487164
Yang, Mu
9f619568-bfc7-44cf-b1b1-010e0b35eb68
Schiavo, Valeria
225f24de-a5ed-4cd1-a9d7-ac4d2cdfcfb4
Sassone, Vladimiro
df7d3c83-2aa0-4571-be94-9473b07b03e7
Leenes, Ronald
van Brakel, Rosamunde
Gutwirth, Serge
De Hert, Paul

Hu, Runshan, Stalla-Bourdillon, Sophie, Yang, Mu, Schiavo, Valeria and Sassone, Vladimiro (2017) Bridging policy, regulation and practice? A techno-legal analysis of three types of data in the GDPR. In, Leenes, Ronald, van Brakel, Rosamunde, Gutwirth, Serge and De Hert, Paul (eds.) Data Protection and Privacy: the Age of Intelligent Machines. (Computers, Privacy and Data Protection, 10) Haywards Heath. Hart.

Record type: Book Section

Abstract

The paper aims to determine how the General Data Protection Regulation (GDPR) could be read in harmony with Article 29 Working Party’s Opinion on anonymisation techniques. To this end, based on an interdisciplinary methodology, a common terminology to capture the novel elements enshrined in the GDPR is built, and, a series of key concepts (i.e. sanitisation techniques, contextual controls, local linkability, global linkability, domain linkability) followed by a set of definitions for three types of data emerging from the GDPR are introduced. Importantly, two initial assumptions are made: 1) the notion of identifiability (i.e. being identified or identifiable) is used consistently across the GDPR (e.g. Article 4 and Recital 26); 2) the Opinion on Anonymisation Techniques is still good guidance as regards the classification of re-identification risks and the description of sanitisation techniques. It is suggested that even if these two premises seem to lead to an over-restrictive approach, this holds true as long as contextual controls are not combined with sanitisation techniques. Yet, contextual controls have been conceived as complementary to sanitisation techniques by the drafters of the GDPR. The paper concludes that the GDPR is compatible with a risk-based approach when contextual controls are combined with sanitisation techniques.

Text
Bridging Policy, Regulation and Practice? A techno-legal Analysis of Three Types of Data in the GDPR - Accepted Manuscript
Download (414kB)
Text
CPDP2017_final - Version of Record
Download (555kB)

More information

Accepted/In Press date: 13 July 2017
Published date: 28 December 2017
Keywords: GDPR, Data Anonymisation, Risk Assessment

Identifiers

Local EPrints ID: 413577
URI: http://eprints.soton.ac.uk/id/eprint/413577
PURE UUID: 8536f988-2276-42bb-84e1-92d3dfbe478a
ORCID for Runshan Hu: ORCID iD orcid.org/0000-0002-5209-8850
ORCID for Mu Yang: ORCID iD orcid.org/0000-0001-9442-9243

Catalogue record

Date deposited: 29 Aug 2017 16:30
Last modified: 14 May 2020 00:26

Export record

Contributors

Author: Runshan Hu ORCID iD
Author: Mu Yang ORCID iD
Author: Valeria Schiavo
Author: Vladimiro Sassone
Editor: Ronald Leenes
Editor: Rosamunde van Brakel
Editor: Serge Gutwirth
Editor: Paul De Hert

University divisions

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×