Is the Anonymization of Personal Data the Same as Data Erasure

Is the Anonymization of Personal Data the Same as Data Erasure

By Marcus Ho

September 6, 2020

Over the years, a great deal has been said and written about people’s right to data erasure. Also known as the right to be forgotten, GDPR’s right to erasure is a provision stipulating that individuals are entitled to erasing their personal data as soon as it’s no longer needed for its original purpose. 

According to this provision, one can also demand that their data be erased the minute they withdraw their consent. When there is no legal ground for an individual’s personal data to be kept online, they have the right to have it erased. 

Based on the provisions under the California Consumer Privacy Act, the internet started to work differently as of January 1, 2020. CCPA rolled out new rights that give individuals control over how their personal data is used online. People now have a say on how organizations collect, store, and use their personal information. 

The million-dollar question here then is if the anonymization of personal data is the same as data erasure. Ideally, anonymization de-identifies owners of pieces of personal information to the point that no one can reconstruct a connection between people and their personal data.

Do organizations comply with CCPA’s provisions by programmatically anonymizing data rather than erasing it? 

Let’s find out!

Data Erasure

What exactly counts as data erasure? What are the data erasure standards that organizations should be held to? The GDPR would not have chosen the word erasure if they did not mean to dispose of, to obliterate, to remove, or to delete. You do not erase data by anonymization because there are two very different things. 

That said, some experts still argue that to erase doesn’t necessarily mean to delete something physically. They believe that as long as a data subject’s identity cannot be traced, that is enough.

This raises important questions in the case where companies rely on people’s personal information for data analysis. If, for example, an organization anonymizes subjects’ addresses, birthdates, first and last names, but keep their zip codes, ages, genders, weights and, heights, do they comply with GDPR’s provisions? Does the company also remain with enough information to conduct successful data analyses? 

Until 2018, these questions had been unaddressed by the GDPR authority, and as such, left open to interpretation. As a result, organizations had leeway to use people’s data, but still, be at risk of non-compliance liability.

However, a case decided by the Austrian Data Protection Authority (DPA)  put the matter to rest. The case highlighted the question above, and the verdict implied that anonymization of personal data could be used by organizations to meet the requirements of the regulation’s data erasure.

Data Erasure Software

The knowledge economy greatly relies on digital assets, and yet data breaches is not yet a thing of the past. Each year, the number of data infractions keeps increasing the world over, and the cost of each is devastating. 

The adjournment of End-Of-Life (EOL) computers, electronic devices, and mobile devices have made it easier for sensitive data to fall into the wrong hands. Organizations risk grave economic consequences if they don’t erase data in good time. There’s also the issue of regulatory non-compliance if they do not meet data erasure standards

Companies need to work with data erasure companies that offer the highest level of accountability. Blancco is one such company that’s recognized as a global leader in secure data destruction. We are the preferred erasure choice for IT asset sellers, banking, police, defense, and military organizations. 

We work with the best data erasure software to provide our clients with certified solutions. Since we operate with an extensive network that connects us to different parts of the work, we’re able to attend to clients from North America, Europe, Australia, the Middle East, Asia, and Russia. 

We have 17 international offices across the globe that renders the highest level of service to every client. Blancco has all their processes audited to meet data erasure regulation requirements in different countries. 

Secure Data Erasure

You need to know how to safely dispose of your personal data or information about clients. Since the retirement of End-Of-Life devices, people can easily retrieve un-erased data from your hard drive or personal computer after you get rid of them. 

Blancco has data erasure software to help you delete data safely and securely. This way, when you throw away used devices, you’re not at risk of a data breach. We understand that data security is among the major concerns organizations and computer users have when disposing of redundant IT equipment. 

That is why we offer all our clients hassle-free data deletion security services for peace of mind. We hire experts who guarantee that your sensitive data will be completely erased so no one else can access it. 

We help you erase data from mobile devices, hard drives, PCs, laptops, tablets, servers, and networking equipment. Blancco overwrites your existing data across the storage device or platform and resets your file size to zero. This is the surest way of permanently destroying data so it can never be retrieved again. 

We use different methods of data destruction and each one is totally secure. Our experts have years of experience working with different clients, so they’ll know exactly what you need. 

Data Erasure Standards

A comprehensive guide to the General Data Protection Regulation (GDPR)

Private institutions and government agencies across the globe have set rigorous data erasure standards for data removal procedures. At Blancco, we help you decide which erasure standards are best for your business. 

As a globally recognized leader in certified data destruction, we support and recommend more than 24 international data removal standards set by independent testing laboratories, legal authorities, and government agencies. We help businesses prove compliance and ensure all your data is protected. 

According to GDPR’s provisions, here is what you need to know in case you need your data erased;

  • You can make a request for data removal either in writing or verbally 
  • Organizations have one month to respond to a data erasure request
  • The right to data erasure is not absolute and only applies in specified circumstances 
  • The right to data erasure puts an obligation on organizations to consider whether or not to delete sensitive data

Here is how organizations should prepare for data erasure requests;

  • Companies should have the policy to record all requests that are submitted verbally.
  • Organizations should understand when to refuse a request, and they should back the refusal with irrefutable reason
  • Each company should have processes in place that guarantee prompt responses to erasure requests.
  • Companies should be well conversant with circumstances in which they’re allowed to extend the time limit to respond to a request.
  • Each company should have in place, a procedure to inform recipients of their data if there has been a data erasure request submitted. 
  • Organizations should have safe, secure and certified data erasure methods in place.

Certified Data Erasure

Individuals and organizations need to know when the right to erasure applies. According to GDPR, individuals can request for their personal data to be erased if and when;

  • A company processes and uses data to render information society services to children. Organizations should understand that the GDPR has a special emphasis on erasure requests for data connected to children. 
  • The company wants to use your personal data for marketing and advertising purposes against your will.
  • The organization in possession of your personal information collected, processed, and used it unlawfully. 

Why there is a Special Emphasis on Data Collected from Children

The GDPR takes a special interest in data erasure requests related to data collected from children. This enhanced protection for children’s information is because they do not understand the implications of letting organizations use, or sell their data. 

Therefore, every organization should give particular weight to all the processed data for which they got consent from children; especially if the data is to be accessible on the internet. Such information might come back to bite adults in the back because they may not have known the risks involved at the time of consent. 

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Have a question? We're a message away.