Privacy protection by anonymizing and pseudonymizing data (part 2/3)

In our first article, you were able to read what the AVG says about customer privacy. In this article, we zoom in on the potentially traceable data your organization holds and how to identify it.

Inventory the types of data you maintain

There are several types of personal data available within your company:

  1. Regular personal data, such as name, address, place of residence, zip code, date of birth, gender, customer number, etc.
  2. Special personal data, such as health data, etc.
  3. Sensitive personal data, such as bank account numbers, etc.

To minimize risks, we distinguish between personal data that enable identification of a person and personal data that can be analyzed independently of a person (e.g., as a process):

personal data overview - Privacy protection by anonymizing and pseudonymizing data

In addition to the examples in the table above, organizations may have personal data because customers use so-called open text fields. For example, people often leave their contact information in a comment field because they cannot find the contact form. The type of information that may appear in an open field determines the approach needed to ensure privacy. In doing so, the information value of an open field for analysis or reporting is not necessarily lost. It is therefore important that organizations handle this information with extreme care.

A distinction is also made between directly and indirectly identifying data. This distinction is not explicitly described in the AVG, but is made with the approval of the CBP in the "Code of Conduct on the Use of Personal Data in Scientific Research. Directly identifying data are, for example, BSNs that uniquely identify a person. Indirectly identifying data are zip codes or dates of birth.

Note: When you combine data, it's almost always clear who the person is. Research shows that a combination of three or four indirectly identifying data stored in aggregate form (such as zip code, age, gender, etc.) can lead to an identification of a (natural) person.

Discover privacy-sensitive data? For example, work with regular expressions

Regular expressions (RegEx) are available within most programming languages and help identify sensitive data. These include e-mail addresses, dates, BSNs or credit card information, for example. If your organization lacks sufficient tools and/or expertise in data management (such as data dictionaries), regular expressions can assist in defining personal data.

In our latest article, we'll take a closer look at some of the functional possibilities for which you can use regular expressions.

Contact

Want to know more about this topic? Then contact Jeroen Groothedde or Michaela Legerstee using the contact information below.

Michaela Legerstee, Senior Consultant

+31 6 31 00 52 81

m.legerstee@cmotions.com

Jeroen Groothedde, Senior Consultant

+31 6 22 88 89 98

j.groothedde@cmotions.com

Recent posts

Automating sales proposals with AI

Automating sales proposals with AI

Discover how AI improves sales proposal automation. Using Microsoft Copilot Studio, we streamline workflows and increase efficiency by integrating AI-driven tools. Learn more about the benefits and challenges of this innovative approach.

read more