De-identification

It is the process of treating personal data so that it can no longer be used to identify a specific individual. While not explicitly defined in Taiwan's Personal Data Protection Act (PDPA), the principle is that if data, after processing, can no longer directly or indirectly identify a person, it falls outside the PDPA's scope. This allows companies to conduct big data analysis legally while protecting privacy.

Under Taiwan's amended Personal Data Protection Act (PDPA), companies failing to adequately protect personal data can face fines of up to NT$15 million and be liable for damages. Regulators have intensified enforcement, and international supply chains, especially in the semiconductor and automotive industries, increasingly demand robust data protection from their suppliers. Proper de-identification is key to compliance, reputation, and supply chain trust.

The primary standard is **ISO/IEC 27701** (Privacy Information Management System), which in control A.7.4.5 requires defining objectives and mechanisms for PII de-identification and deletion. Additionally, the EU's **GDPR** (General Data Protection Regulation) defines "pseudonymisation" in Article 4 as processing personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information.

Winners Consulting is Taiwan's pioneer in integrating ERM, industrial engineering, technology law, and data science. Drawing on our founder's preventive law background and experience serving clients like TSMC and MediaTek, we design de-identification processes that balance legal compliance, data utility, and operational efficiency. Our multidisciplinary team vertically integrates systems like ISO 27701 with governance, preventing redundancy and ensuring effective data protection.