07 Dec
Widely considered the most important modern data regulation, the EU’s GDPR focuses on the concept of personal data.
Under the legislation, ‘personal data’ is considered any piece of information relating to an identifiable person.
In Australia, the Privacy Act defines ‘personal information’ as information about an individual “who is reasonably identifiable”.
Re-identification risk
Any information that is clearly about a certain person is technically considered personal data. Names, identification numbers, location data, IP address or even cookies can serve as identifiable data.
And it doesn’t take much to identify an individual. A study found that just date of birth, postcode and gender could be used to uniquely identify 87 percent of the US population.
Given these broad – and often unclear – definitions of personal data across the world (for example a name isn’t always considered personal data under GDPR), many businesses are now considering safer options – creating anonymised or pseudonymised data.
Anonymised or pseudonymised: what’s the difference?
Anonymised data and pseudonymised data are similar in that they both mask the personal data that makes it possible to link information to an individual.
Pseudonymisation is defined as the processing of personal data in such a way that it can no longer be attributed to a specific person, as long as additional information is kept separate and protected.
However, despite sounding like a solution, it is generally just an operational approach to use of data that reduces some risk in the analysis of data for the analyst and data custodian. Pseudonymised data can eventually be linked back to the individual, so it’s not a complete solution.
Anonymisation, meanwhile, is when the information does not relate to an identifiable person and has been processed in such a way that the subject is no longer identifiable.
Data anonymisation is usually done using processes of randomisation or aggregation. When randomising, removing the link between the data and the individual means that the data is no longer identifiable but is still valuable to a business. Aggregating data removes detail in the data (for example using age ranges rather than specific age) so that it is no longer identifiable.
The key difference here is that pseudonymised data can be reversed, while anonymised data can never be identifiable.
Given the effectiveness of anonymised data in this context, it has been billed by many as the solution to data compliance laws, such as GDPR (GDPR does not apply to anonymised information).
Why anonymisation works
The key challenge for anonymisation of data is to get the balance right between maintaining privacy and maximising data value.
At smrtr, our rich transactional data is aggregated into ‘microsegments’ so that we cannot identify specific individuals.
Just because this data is anonymised, however, doesn’t mean it is ineffective. Once it has been sorted into these clusters, we match it back to other clusters in our database. This means we can derive useful insights about people without passing through data about that individual. We have made a decision to do this, as we feel there is no longer a social license to pass through and commercialise data about specific individuals. We feel this is the best balance between maintaining privacy and maximising data value for our clients and data partners
Given our data is anonymised (rather than pseudonymised) there is no risk of it being reverse engineered to identify an individual.
smrtr’s proprietary data commercialisation framework identifies a data set’s potential and the steps to realise this compliantly.
To find out more about smrtr contact us and we’ll be in touch within the next business day.
By Steve Millward, General Manager – Commercial at smrtr
