The EDPS and the Spanish data protection authority (the AEPD) published a joint paper on "10 misunderstandings related to anonymisation" to provide for guidance for organisations using anonymisation as a means to protect personal data, e.g. for transfers. After briefly bringing the reader up to speed as to what anonymisation is and why it is relevant for various sectors, the EDPS and AEPD give attention to the following 10 "misunderstandings":
- "Pseudonymsation and anonymisation are the same": False, as pseudonymisation allows for identification of individuals, anonymisation does not (if done correctly).
- "Encryption is anonymisation": False, as encryption is a technical means to prevent access to data, but does not render it unidentifiable.
- "Anonymisation of data is always possible": False, as datasets may become useless under specific circumstances if the data is anonymised.
- "Anonymisation is forever": False, as new technologies or additional data may allow for re-identification in the future.
- “Anonymisation always reduces the probability of re-identiﬁcation of a dataset to zero": False, although this is the desired outcome of anonymisation measures, this cannot be guaranteed in all cases.
- "Anonymisation is a binary concept that cannot be measured": False, as it is possible to measure and analyze the degree of anonymisation.
- "Anonymisation can be fully automated": False, as human expert intervention is required together with automated technological tools.
- "Anonymisation makes the data useless": False - if done properly, the datasets can still be used for the intended purpose.
- "Following an anonymisation process that others used successfully will lead our organisation to equivalent results": False, as the process needs to be tailored for the specific purpose, data, risks etc.
- "There is no risk and no interest in ﬁnding out to whom this data refers to": False, as (personal) data is of great value and re-identiﬁcation may be of risk for individuals' rights and freedoms.
All in all the paper is an interesting read even for privacy pros, but particularly for organisations using or planning to use anonymisation techniques.