The process of converting Personal Data into a form that no longer identifies individuals and where re-identification is not likely to take place.

In some jurisdictions, such as the UK, EU, Japan and Brazil anonymization is defined in law to mean data that is out of the scope of data protection law on the basis that the data subject is not, or no longer identifiable.

In other jurisdictions, such as California, anonymization is not defined in law, whereas the term de-identified is, with a meaning analogous to the definition of anonymous in the EU. In other jurisdictions, whilst anonymization is not defined in law, Personal Data is defined and linked to the scope of the applicability of the law and therefore anonymized data is implicitly excluded. This is supported by regulatory guidance, for example, in Hong Kong and Australia.

In jurisdictions such as the EU, UK, Brazil, and California, account should be taken of all means that are reasonably likely to be used to identify the individuals taking into account all relevant factors (for example, cost, time, likely motivation, available technology at the time). How this is interpreted differs from one jurisdiction and regulator to another, meaning approaches to anonymization vary across jurisdictions.

The same techniques that are used to disassociate the identity of a data subject from the analytical value of that data, can also be applied to other types of data, such as a company or transaction. Similarly to how anonymization takes data out of the scope of data protection law, this may also have legal significance.

Return to glossary