Data anonymization, an urgency in the GDPR era

The new Data Protection Regulation (RGPD) brings profound and unprecedented changes to the way organizations manage data. There is virtually no comparable piece of legislation, both in terms of scope and penalties. The RGPD concerns all forms of organization (large or small companies, public or private, associations...), wherever they may be in the world, as long as they process personal data of European residents. Penalties for non-compliance can range up to €20 million or 4% of the worldwide turnover of the company concerned (whichever is higher).

Beyond the financial penalties, the RGPD presents other considerable stakes as it very precisely frames personal data, known to be the oil of our era. It's obviously hard to deny the central place that data occupies in value creation; this, both for the development of new services, and for the improvement of existing ones. The RGPD thus applies to all processing of personal data (collection, recording, organization, storage...), and can, in certain cases, prohibit their implementation, and even impose the deletion of collected data. For example, one of the principles of the RGPD is the retention period limitation, which prohibits the retention of data beyond a certain duration; they will then have to be deleted or archived with restricted access.

In order to avoid the constraints of the RGPD without depriving oneself of the benefits of data, the only alternative provided by the regulation is data anonymization. Indeed, for the RGPD, anonymized data is equivalent to deleted data, and the principles of the RGPD no longer apply. This is because anonymization transforms personal data into data that is no longer personal.

However, implementing anonymization requires special precautions, due to the significant risks involved. Unfortunately, anonymization is still the subject of a great deal of confusion and preconceived ideas on the part of many data stakeholders. Among the most notable confusions are the use of pseudonymization (e.g., "data masking") in place of anonymization, and confusion between anonymization and encryption. Indeed, history records numerous cases of poor anonymization, using pseudonymized data instead of anonymous data, which led to serious breaches of privacy. Examples include the pseudonymized data of New York cabs, which made it possible to identify strip bar customers; or the case of health data published by an insurance agency in the USA, which in 1997 made it possible to re-identify the governor of the state of Massachussetts, by tracking down the illness from which he was suffering. These risks led the G29 (Group of European Data Protection Authorities) to publish an opinion on anonymization techniques in 2014