How do you know if claims about your customer data being ‘de-identified’ hold true?
If you are using de-identification:
- as a data security risk management strategy (e.g. to protect data in transit, or data you no longer need), or
- to enable you to do something with your data that privacy laws would otherwise prevent you from doing if the data was identifiable (such as release it publicly or share it with a third party),
you need to assess the risk of re-identification.
But re-identification risks are notoriously difficult to estimate, especially for public releases, because you don’t know what the cumulative effect of later releases from other organisations will be. Every big data breach makes that risk higher, by putting more and more customer records into the hands of bad actors.
As part of a PIA or privacy advice, our Associate Chris Culnane can test for re-identification risks from your dataset. Contact us if you would like to know more.
For guidance or training for privacy advisors about de-identification, see our De-identification Bundle of resources.
