Anonymize data: how to do ?

According to the CNIL (National Commission of the’and freedoms), anonymization refers to processing that aims to guarantee respect for the privacy of an individual by preventing their identification by means of a set of data. It is one of the solutions that make it possible to use personal data without infringing the rights and freedoms of natural persons. How to implement it ?

What are the techniques of’anonymization of’personal data ?

I’anonymization of personal data allows them reuse while ensuring the privacy of their owners. It also makes it possible to store them beyond the established shelf life.

To effectively anonymize personal data, it is necessary to observe several rules:

• Analyze the relevance of the information to determine which must be retained;
• Delete the elements making the data subject very easily identifiable;
• Categorize the information in order of importance with a view to deleting those which are useless;
• Delineate the tolerable fineness for any retained information.

Only in this way will it be possible to choose the technique’appropriate anonymization. There are two main types.

Randomization

There randomization is an anonymization technique that consists of destroy the link between personal data and an individual. Specifically, it involves making changes to attributes in a data set. Aiming to make the information less precise, this process does not impact its general distribution.

Adding several centimeters to the actual height of individuals and swapping their date of birth data are examples of randomization.

The generalization

There generalization involves the dilution of personal data by changing its scale or magnitude. Making it possible to make attributes common to the people concerned, this anonymization technique prevents the isolation of an individual in a data set.

By way of illustration, instead of indicating the date of birth of people in a database, it is possible to enter only the year.

It should be noted, however, that these techniques ofdata anonymization are not not infallible. It is therefore in everyone’s interest to learn how to protect their personal data.

How to anonymize a database ?

I’anonymization of private databases must meet certain conditions. In particular, it is necessary to replace sensitive data with fictitious information before it is disseminated. It is also appropriate to delete any unnecessary personal data outside of production.

Additionally, it is important to comply with GDPR (General Data Protection Regulation) compliance requirements for non-production environments.

The most common way to anonymize a database is toabolish fields containing personal data. It can be a IP adress, of one social Security number, etc. Most of the time, however, this action results in the deletion of useful data such as geographical information.

Another solution is to replace personal data fields with new information. In this case, however, it remains possible to re-identify the individuals concerned by combining several databases.

With particular regard to the anonymization of data in non-production environments like test or development, GDPR recommends masking or thestatic anonymization. This process prevents access to sensitive data thanks to their replacement by information that approaches it without however presenting any utility.

Anonymization is not the only solution to preserve sensitive data. For example, it is also possible to use the method of encryption. The latter can also be applied for a database as well as for a mobile device.

To find out more, do not hesitate to read the article which indicates how to protect your personal data on your smartphone.

How to anonymize cloud data ?

We mentioned in another article that the risk for personal data is among the disadvantages of cloud computing. To limit it,data anonymization stored in the computing cloud is crucial.

In this case, data processing can also be based on the masking. Making the original data disappear, thestatic anonymization is primarily at the service of right to be forgotten. I’Article 26 of the GDPR provides that the Masking deletes the subjugation of this European regulation.

This is a particularly interesting solution for companies, because it will allow them to fully benefit from the advantages of cloud computing.