Anonymization

Understanding GDPR

Shalini Kurapati, CIPP/E

Co-founder and CEO, Clearbox AI

Anonymized data

  • Not related to an identified or identifiable natural person
  • Truly anonymous data cannot be re-identified
  • Falls outside GDPR scope
  • Effective way to harness data, compliant to GDPR
Understanding GDPR

Anonymization techniques

  • Aggregation - data as totals
  • Perturbation - slight value modification
  • Data swapping or shuffling - rearranging individual attributes
  • Record suppression - removal of an entire record
Understanding GDPR

Risks of re-identification

Illustration of a group of faceless individuals with a question mark on each of their faces.

  • Anonymization should not allow re-identification
  • New technologies, powerful computational resources
  • Anonymous data may not be truly anonymous
  • Impact on sharing, reusing, or monetizing
1 Rocher, L., Hendrickx, J.M. & de Montjoye, YA. Estimating the success of re-identifications in incomplete datasets using generative models. Nat Commun 10, 3069 (2019). https://doi.org/10.1038/s41467-019-10933-3
Understanding GDPR

Anonymous DNA donors?

Illustration of a DNA.

  • Genealogy databases with genetic profiles
  • Individual identity removed - claimed to be anonymous
  • Combo of public genetic resources and information like time of donation
  • Not so anonymous donors
1 John Bohannon, Genealogy Databases Enable Naming of Anonymous DNA Donors, Science, Vol. 339, No. 6117 (18 January 2013), p. 262.
Understanding GDPR

Key considerations

Illustration of three questions marks.

  1. Can I single out an individual? (Singling out)
  2. Can I link records related to an individual? (Linkability)
  3. Can I infer information about an individual? (Inference)
1 ARTICLE 29 DATA PROTECTION WORKING PARTY Opinion 05/2014 on Anonymisation Techniques
Understanding GDPR

Utility and data protection

Illustration of the privacy and utility trade-off. Higher the privacy, lower the utility and vice versa.

  • Privacy-utility trade off
  • Fully anonymous data is hard to achieve
  • Evolving risks, state-of-the-art measures, privacy by design
1 Dr.Prokopios DROGKARIS, European Union Agency for Cybersecurity (ENISA), On overview of existing pseudonymisation techniques, IPEN Webinar 2021
Understanding GDPR

Let's practice!

Understanding GDPR

Preparing Video For Download...