Anonymization has become one of the major data protection technique which is brought by the General Data Protection Regulation (“GDPR”). By the time it started to be a customary practice in the area of data protection. Therefore, establishments, independently of criteria of being subject to the GDPR, shall take necessary actions to provide effective data protection within their body.
In this regard, it is important to make it crystal clear that GDPR does not apply to anonymized data. Because as you will guess by anonymization, personal data is processed in a way that prevents the identification of data subject to whom it relates irreversibly by concealing any identifiers (such as name, any identification number, address etc.) that apply to relevant data subject’s identity.
Data controllers should designate the circumstances where anonymization applies and techniques of anonymization in their data retention and destruction policy. And should apply it where they want to lower the risk of identifiability of any natural person.
Anonymization includes various methods such as scrambling, masking, personalized anonymization and blurring. By scrambling, personal data is mixed or obfuscated, for instance if the name of data subject is John, it becomes OnhJ. By masking, part of the personal data is hidden by any random character or other data, for instance by crossing out or starring some part of personal data. Personalized anonymization allows parties to avail their own anonymization technique, for instance anonymization of personal data by code usage. Blurring provides data values to be approximated which renders personal data void or identification impossible.
Anonymization is a different technique than pseudonymisation which is also a technique brought by GDPR. Pseudonymisation does not prevent the identification of data subject; it only reduces the linkability-associability of data group which belongs to a data subject, therefore it slightly differs from anonymization. By this way, a personal data which is pseudonymised can be re-identified where anonymized one cannot. For this reason, GDPR applies to pseudonymised data where by using additional information it is still possible to attribute relevant data to a specific data subject.
Nowadays, most of the sectors such as communication, media or health, which process special categories of personal data, actively uses anonymization for storing or sharing the personal data that they possess. Besides establishments that conduct statistical researches have to use anonymization to transfer different personal data to statistical facts by processing it.