Columnist Camilla Ravazzolo Anonymising data F identify the natural person, account should be taken of all ollowing the publication of the data-sharing code of objective factors, such as the costs of and the amount of practice, the Information Commissioners Office (ICO) time required for identification, taking into consideration the is now working on guidance on anonymisation, available technology at the time of the processing and pseudonymisation, and privacy-enhancing technologies. technological developments. The guidance will explore the legal, policy and governance But how can controllers anonymise data? Organisations efforts issues around the application of anonymisation and to adapt and keep up with the data protection legislation have pseudonymisation in the context of data protection law. In so been restless, and the concept of pseudonymisation as a mere doing, it will clarify when personal data can be considered security measure has been mostly understood but when it anonymised, if it is possible to anonymise data adequately to comes to anonymisation, the struggle is real. reduce risks, and what the benefits of anonymisation and From an organisations operational standpoint, it all starts pseudonymisation might be. with terminology: are anonymous, anonymisation and The endeavour is commendable. The topic has been up for anonymised in the same league as anonymity? What are the debate for a long time, from the ICOs first attempt, processes that can achieve effective anonymisation? How can Anonymisation: managing data protection risk code of practice of anonymisation be upheld? More importantly, how effectively 2012, and the late Article 29 working partys (now European can these processes be presented Data Protection Board) Opinion on to small organisations, micro anonymisation techniques of 2014, to enterprises and sole traders who the Norwegian and Irish data dont have the means and the tools to protection authorities guidance on There is no cradle-to-grave investigate randomisation and anonymisation and pseudonymisation solution. There is a risk that generalisation, noise addition, of 2017 and 2019. some anonymisation processes permutation, differential privacy, The concept is straightforward: could be reverted in the future aggregation, and concepts anonymisation must be assessed including k-anonymity, l-diversity against the possibility of re-identifying and t-closeness? the data subject, while the test of re-identifiability leaves large room for A very good, clear and practical example came from a leaflet discussion. On the one side, the EU Article 29 working party published by the Spanish data protection authority and the aimed for a close-to-zero approach; on the other, the Court of European Data Protection Supervisor. Among the listed Justice of the European Union in 2016, in the case of Patrick 10 misunderstandings related to anonymisation, the most notable Breyer, held that if the identification of the data subject is points are: prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, Anonymisation of data is always possible in fact, it is not. It is cost and labour the risk of identification appears, in reality, to not always possible to lower the re-identification risk below a be insignificant. previously defined threshold while retaining a useful dataset Legislation followed, which is why the GDPR Recital 26 now for a specific processing reads: To determine whether a natural person is identifiable, Anonymisation is forever in fact, there is no cradle-to-grave account should be taken of all the means reasonably likely to be solution. There is a risk that some anonymisation processes used, such as singling out, either by the controller or by another could be reverted in the future person, to identify the natural person directly or indirectly. To Anonymisation always reduces the probability of ascertain whether means are reasonably likely to be used to re-identification of a dataset to zero it does not. A robust 52 Impact ISSUE 36 2022_pp52-53 Legal.indd 52 08/12/2021 10:21