Aggregated Data

Aggregated data is a statistical dataset formed after personal data has undergone de-identification, making it impossible to re-identify specific individuals. This aligns with regulations like the GDPR's Recital 26, which states that data rendered anonymous so the data subject is not identifiable is not considered personal data, making its use less restricted.

If de-identification techniques are inadequate, there's a risk of re-identification, classifying the data as personal data and risking severe penalties. For example, GDPR violations can lead to fines of up to €20 million or 4% of global turnover. For tech industries, improper aggregation of client or R&D data could lead to trade secret leakage or client claims.

Key related standards include: - **ISO/IEC 27701 (Privacy Information Management System):** Clause 7.4.5 (2019 version) requires that organizations should de-identify PII so that it can no longer identify the PII principal. - **ISO/IEC 27001 (Information Security Management System):** Annex A.18.1.4 emphasizes the protection of personally identifiable information (PII). - **EU GDPR:** Article 89 outlines safeguards for processing personal data for statistical purposes, emphasizing data minimization and pseudonymization.

Winners Consulting is Taiwan's first firm to integrate ERM, data science, and technology law. Led by a founder with a preventive law background, our team of data scientists, tech lawyers, and ISO Lead Auditors provides a multi-faceted approach. We help clients build robust de-identification processes from legal, technical, and management perspectives, seamlessly integrating them into ISO 27701 and internal controls to create a cohesive and efficient risk framework.