Dec 19 2022

Anonymization of data and the new Guide published by the AEPD

On November 2, 2022, the Spanish Data Protection Agency (AEPD) published a “Basic guide to anonymization” prepared by the National Data Protection Authority of Singapore (PDPC) and which, with the collaboration of the aforementioned authority, has been translated into Spanish due to its relevance and didactic value for data controllers, data processors and data protection officers also at a local level.

In this sense, the main objective of the Guide in question is to provide practical guidelines or recommendations on how to proceed with the anonymization and de-identification of data.

In addition, the Guide is complemented by a free, downloadable tool to enable all types of organizations to anonymize data processed correctly and through the implementation of simple techniques to achieve the desired goal.

What is data anonymization?

Data anonymization is the technique by which a set of data ceases to relate to an identified or identifiable natural person, the purpose of this practice being to provide greater privacy guarantees to users by companies (Recital 26 of the General Data Protection Regulation – GDPR).

In more technical terms, it is a process by which the data is altered, encoding and encrypting the key identifiers of the same, so that the information is stored securely and the identification of the owner of the data is very complicated.

Anonymization vs. pseudonymization

The main difference between anonymization and pseudonymization processing is that, while the application of anonymization techniques generates a single new set of data, pseudonymization processing generates two new sets of data: (a) the anonymized data and, therefore, not attributable to an identified or identifiable natural person, and (b) additional information that allows reversing the anonymization process for the re-identification of the subject to whom the data correspond.

In other words, data will be considered anonymized to the extent that such process cannot be reversed and that there is no reasonable likelihood that the person whose data has been anonymized can be identified, which is why such data would not fall within the scope of the GDPR. On the other hand, pseudonymized data will continue to be considered as personal data insofar as such process can be reversed and the fact that the link between the data is not removed, since, together with the pseudonymized data, there is additional information that, although contained separately and subject to technical and organizational measures, if used, may lead to the identification of individuals.

Recommendations of the AEPD on the anonymization of personal data

One of the main recommendations of the AEPD for the proper anonymization of personal data processed by large and small companies is the use of the value known as “k-anonymity” by means of which the real effectiveness of the anonymization process carried out by a data controller on a set of data can be measured or checked.

The k-anonymity process can be achieved through two processes: generalization or elimination of data, which basically consist of replacing specific information variables with more generic ones, preserving the relevant data and generalizing or eliminating others, without introducing new or erroneous data.

Notwithstanding the above, it should be borne in mind that achieving good k-anonymization may entail the loss of data fidelity, a matter that will be irrelevant if the data lost are not necessary for the purpose of the processing. In the event that relevant information is lost, a balance must be struck between the risk to the subjects of being identified and the potential loss of fidelity of the result.