The Spanish Data Protection Agency (SDPA) has published the technical note "K-anonymization as a privacy measure," aimed at organizations that deal with anonymization processes on data sets. Although the aim of anonymization processes is to preserve the privacy of persons whose data is processed, anonymized data, conveniently grouped and cross-referenced with other sources of information, can be used to identify persons and even establish relationships with special categories of data associated with them.
Applying the principle of accountability established in the GDPR, the SDPA states that the data controller must analyze the risks of data processing, including the risk of re-identification. The SDPA highlights that the data controller must also assess the risks derived from further processing of the personal data, especially from the enrichment of the data.
To carry out this risk management, the technical note analyzes K-anonymity, a technique used when dealing with large sets of data, which, among other aspects, makes it possible to assess the risk of identification that might exist in this supposedly anonymous data set.