Pseudonymisation in the context of GDPR-compliant medical research

Pseudonymisation is a data protection technique often used to protect the privacy of individuals when their personal data are being used for research purposes. Not only is it a key ingredient of the General Data Protection Regulation (GDPR) that requires organisations to ensure that the personal data they process is handled in a secure manner, but it is particularly important in assisting medical research given that often relies on sensitive personal data, since it reduces the risk that medical data could be misused or mishandled. For managing their medical data, it is important to ensure that such data are protected against unauthorised access, and can be reutilised in an anonymous fashion, while still authorised personnel is able to identify the study participant that some data belong to (e.g., for personalised interventions, technical alerts, technical support). In addition, the re-identification of a study participant is a pre-requisite for exercising their rights under the GDPR, since it assists organisations in meeting GDPR requirements (such as the right to access, rectify and portability of data). We argue that the application of pseudonymisation is particularly effective when considered during the early stages (Privacy by Design) of digital services implementation, as well as when defining the complementary to these organizational procedures. Aim of this paper is to present the way in which the pseudonymisation mechanism of the SMART BEAR H2020 project supports the triptych of research activities conducted within the context of an observational medical study, legal obligations arising from the regulatory framework for the protection of personal data, and reutilisation of data for research purposes. Evidence-based security and privacy assessments will be conducted on two different H2020 projects to evaluate such privacy practice.