data fingerprint and anonymisation

Data can act like a fingerprint. Even when a dataset does not include names, ID numbers or email addresses, the combination of several elements may allow a person to be singled out or reidentified.

This is one of the main privacy challenges of the digital economy. Location history, browsing patterns, device identifiers, timestamps, purchases or app usage may seem harmless in isolation. Combined together, they can reveal habits, movements and identity.

Anonymous data is not the same as pseudonymous data

Under the GDPR, truly anonymous data falls outside the regulation only when individuals are no longer identifiable by any reasonably likely means. Pseudonymous data is different: identifiers may be replaced, but reidentification remains possible if additional information exists.

The distinction matters because many organisations describe datasets as “anonymous” when they are only partially masked or pseudonymised.

Why reidentification happens

  • Unique combinations of dates, places and behaviour.
  • Small datasets where individuals are easy to distinguish.
  • External data sources that can be matched with the dataset.
  • Persistent device IDs, cookies or advertising identifiers.
  • Location patterns that reveal home, work or routines.

What companies should review

Before sharing, publishing or analysing datasets, companies should ask whether a person could still be identified directly or indirectly. The assessment should consider not only the dataset itself, but also other information that a third party could reasonably access.

Practical safeguards

  • Minimise the data before analysis or sharing.
  • Remove unnecessary dates, locations and identifiers.
  • Aggregate information where individual-level data is not needed.
  • Limit access to raw datasets.
  • Document anonymisation or pseudonymisation decisions.
  • Review whether a data protection impact assessment is needed.

Why this matters for GDPR compliance

If individuals remain identifiable, the GDPR still applies. That means the organisation needs a lawful basis, transparency, security measures, retention limits and respect for data subject rights.

Conclusion

Data does not need a name to be personal data. In many cases, patterns are enough. Treating data as a fingerprint helps organisations avoid false anonymity and design safer analytics, research and marketing practices.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *