Simply removing direct and indirect personal identifiers isn’t enough to achieve de-identification of a dataset. Data controllers must also analyze the context in which the data is presented, as well as the risk of re-identification. Not only that, but technical methods for performing de-identification are not prescribed by law, but rather are often left to the discretion of the data controller.

This article focuses on the practical challenges of meeting de-identification standards, including both GDPR’s heightened standard for anonymization, as well as meeting more traditional standards tied to the likelihood of re-identification.

The full article can be seen at ACC‘s (Association of Corporate Counsel) Docket Magazine here.