Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
The importance of data anonymization
The protection of personal information has become a constant concern in today's digital age, where data has become an essential resource for businesses.
Companies collect a vast amount of customer and user data, ranging from contact details to purchasing habits and personal preferences. However, that's not all. It is often necessary to share this data set, either with external clients or Cloud services, for processing.
This is why it becomes vital to ensure the protection of sensitive information and avoid its exposure in these critical processes. But how can we leverage this information without compromising the privacy of the people involved?
Protecting people's privacy
Data anonymization emerges as a key solution to this dilemma. This technique is crucial for safeguarding the privacy of individuals, while enabling the analysis and sharing of data in a secure manner.
Data anonymization basically allows for the protection of personally identifiable information by removing or obfuscating sensitive data. The goal of data privacy is to maintain the full protection of the individuals whose data is included in the information set, and to minimize the risk of exposing confidential or sensitive information.
But what is meant by personal data? Article 4 of the General Data Protection Regulation defines it as 'any information relating to an identified or identifiable natural person', with Directive 95/46/EC clarifying this concept:
Generally speaking, a natural person can be considered 'identified' when, within a group of persons, he or she is 'distinguishable' from all other members of the group.
Consequently, a natural person is 'identifiable' when, even if he has not yet been identified, it is possible to do so.
A complicated and irreversible process
Many companies believe that by simply de-identifying data or using pseudonyms, the goal of anonymization has already been achieved. But this is far from the truth.
A curious case was that of the company AOL, formerly known as America Online, which in 2006 made public a database with 20 million search words and more than 650,000 users, taking, as the only data anonymization measure, the replacement of the user identifier with a number.
The result was that many of the users were identified and located in combination with other attributes, such as IP addresses or other client configuration parameters. This incident made it clear that the privacy implications of data disclosure are not limited to the removal of personal information such as name, address, IP or ID number.
Data anonymization is a complicated, as well as irreversible, process. Each technique has its risks:
- Singularization: Extraction of characteristics that allow individuals to be identified.
- Linkability: Relating records of the same individual in different data sets.
- Inference: Deduction of attribute values from other attributes.
Some data anonymization techniques
Among the data anonymization techniques, we find the following:
- Generalization: consisting of transforming individual person data into generic data, using more general and broader magnitudes or scales (e.g., K-Anonymity or L-Diversity).
With them we avoid singularization, but it is necessary to jointly apply other techniques to guarantee protection against inference or linkability attacks. - Randomization: based on modifying or altering the veracity of the data at the individual level, while respecting the overall distribution of the data, thus reducing linkability and inference.
Randomization used in isolation is not effective against singularization. They should always be combined, at least, with a process of explicit filtering of obvious attributes or indirect identifiers (default privacy principle), or indirectly through generalization techniques.
However, as we have seen, no technique is perfect, and they must always be combined to ensure proper data protection.
Only in this way will companies be able to share and work with personal data securely, as well as remain at the forefront of compliance with privacy regulations.
Image by Freepik.
