Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.
Simply removing direct and indirect personal identifiers isn’t enough to achieve de-identification of a dataset. Data controllers must also analyze the context in which the data is presented, as well as the risk of re-identification. Not only that, but technical methods for performing de-identification are not prescribed by law, but rather are often left to the discretion of the data controller. So how do you limit risk of re-identification and respond quickly with appropriate technical methods of de-identification?
This article focuses on the practical challenges of meeting de-identification standards, including both GDPR’s heightened standard for anonymization, as well as meeting more traditional standards tied to the likelihood of re-identification.