Re-identification

Re-identification is the process where data that has been de-identified (through techniques like anonymization or pseudonymization) is matched, linked, or inferred with other public or private datasets to re-establish the identity of a specific individual. Under regulations like the GDPR, Recital 26 clarifies that if pseudonymized data can be used to re-identify a person, it should still be treated as personal data. Therefore, if the de-identification process is insufficient and the risk of re-identification remains, the data is not truly anonymous and remains subject to data protection laws.

First, regulatory pressure: If a company mistakenly believes its data is fully anonymized and uses it freely, but it is later re-identified, it could face severe penalties under Taiwan's Personal Data Protection Act (PDPA), with fines up to NT$15 million for repeated offenses. Second, market access: In global supply chains, particularly in industries like semiconductors and automotive manufacturing, international clients from the EU or US mandate compliance with GDPR or CCPA. An inability to effectively manage re-identification risks can lead to loss of major contracts, reputational damage, and significant financial liability.

For ISO standards, the most relevant is ISO/IEC 27701 (Privacy Information Management System), an extension to ISO/IEC 27001, which provides a framework for protecting Personally Identifiable Information (PII) and includes controls for managing de-identification and re-identification risks. Additionally, ISO/IEC 29100 (Privacy framework) and ISO/IEC 20889 (Privacy enhancing data de-identification techniques) are key references. In international law, the EU's General Data Protection Regulation (GDPR) is paramount, specifically Recital 26, which states that data is only considered anonymous if individuals are no longer identifiable.

Winners Consulting is Taiwan's pioneering firm integrating ERM, industrial engineering, technology law, and data science. Our interdisciplinary team, led by a founder with a preventive law background and comprising tech lawyers, ISO Lead Auditors, and AI experts, delivers a one-stop solution covering legal compliance, technology, and processes. We don't just implement standards like ISO 27701; we vertically integrate them with corporate governance, internal controls, and existing IT security. This avoids redundant frameworks and ensures de-identification is truly effective, a trusted approach for leaders in the semiconductor, finance, and healthcare industries.