Guide on the procedures for data anonymisation
Since the entry into force of Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR), and Organic Law 3/2018 on Data Protection and the Guarantee of Digital Rights (LOPDGDD), the processing of personal data must be carried out under the principles of proactive responsibility and a risk-based approach.
In this context, anonymisation has become a key tool to minimise the risks derived from the processing of personal information and to enable its subsequent use (for example, for statistical, research, or analytical purposes) without compromising individuals’ rights.
The Spanish Data Protection Agency (AEPD) published its guidance ‘Orientations and Safeguards in Data Anonymisation Processes’, which provides technical and legal criteria on how to properly anonymise data and assess the risk of re-identification.
Data anonymisation methods
The AEPD reminds that absolute anonymisation does not exist: the possibility of re-identification depends on context, available data sets, and technological developments. In practice, data will be considered anonymised insofar as there is no reasonable likelihood that any person could identify the data subject within the data set.
Therefore, every anonymisation process must be based on the following principles:
- Assessing the risk of re-identification (likelihood and impact);
- Applying appropriate technical and organisational measures to mitigate such risk;
- Documenting the entire process (proactive accountability principle);
- Regularly reviewing the effectiveness of the techniques used.
Furthermore, the GDPR requires the incorporation of anonymisation or pseudonymisation ‘by design and by default’ (Article 25 GDPR).
In which cases is it necessary to anonymise personal data
According to current AEPD guidance, the recommended phases for a responsible anonymisation process are:
a) Planning and definition of objectives
The controller must define the purpose of the data to be anonymised and determine whether that purpose can be achieved using anonymised data.
It is advisable to document this decision and consider alternatives such as pseudonymisation or data aggregation.
b) Analysis and assessment of re-identification risks
A detailed analysis should identify:
- Possible re-identification vectors (direct or indirect).
- External data sets that could enable re-identification.
- The acceptable risk threshold.
In certain cases, a Data Protection Impact Assessment (DPIA) may be required pursuant to Article 35 GDPR.
c) Selection and application of appropriate techniques
Among the anonymisation techniques most commonly used and recommended by the AEPD and the European Data Protection Board (EDPB) are:
- Generalisation or data aggregation (reducing the level of detail).
- Perturbation or random noise injection.
- Suppression or masking of key variables.
- k-anonymity, l-diversity, or t-closeness, depending on context and data volume.
Using combined techniques increases the robustness of the process.
d) Validation and verification of results
The effectiveness of the anonymisation must be tested, for instance, through:
- Re-identification testing (motivated intruder test).
- Internal or external audits.
- Comparison with defined risk thresholds.
e) Documentation and maintenance
The process, decisions taken, and results should all be properly documented.
It is also recommended to establish internal anonymisation policies and periodic reviews to ensure that the data remain anonymised over time.
Techniques recommended by the AEPD
The AEPD recommends implementing the following additional measures to strengthen data protection:
- Confidentiality agreements and commitments of non-reidentification with recipients of anonymised data.
- Codes of conduct and certification mechanisms (Articles 40 and 42 GDPR).
- Segregation of processing environments, ensuring that anonymised data are not mixed with personal data.
- Specialised training for personnel involved in anonymisation processes.
- Periodic audits to verify the effectiveness of measures and overall quality of the process.
Anonymisation has become an essential component of regulatory compliance and of privacy-by-design and by-default strategies. However, it should be understood as a continuous technical and legal process, not as a single or definitive action.
Adopting a rigorous and well-documented approach, consistent with the guidance of the AEPD and the GDPR, enables organisations to minimise risks, facilitate lawful data reuse, and safeguard individuals’ rights.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.
More from my site
What is pseudonymisation? The EDPB clarifies the use of pseudonymisation for GDPR compliance
Alternatives to third party cookies
Wi-Fi tracking and its adaptation to GDPR
External Data Protection Officer service
Legitimate Interest and Data Protection
The EDPB clarifies rules for data exchange with authorities in third countries and approves the EU Data Protection Seal Certification