Re-identification

Re-identification is the process of reversing de-identification, linking anonymized or pseudonymized data back to a specific individual. According to regulations like the EU's GDPR (Recital 26), data is only considered truly anonymous if the data subject is not or no longer identifiable. If means 'reasonably likely to be used' for identification exist, the data is still personal data, highlighting the risk of re-identification.

For Taiwanese companies, failing to prevent re-identification is equivalent to a data breach. Under Taiwan's amended Personal Data Protection Act (PDPA), this can lead to fines of up to NT$15 million for severe cases and liability for damages. It severely damages corporate reputation and may violate contractual obligations with international clients, especially in sectors like semiconductors and automotive supply chains, leading to loss of business.

Key related standards and regulations include: 1. **ISO/IEC 27701 (PIMS):** As a privacy extension to ISO 27001, this standard requires organizations to implement controls to manage PII risks. De-identification and preventing re-identification are central to its technical requirements. 2. **EU GDPR:** Recital 26 states that the regulation does not apply to anonymous information where the data subject is not identifiable. Conversely, if re-identification is reasonably likely, the data remains personal data and is subject to full protection requirements. 3. **NIST SP 800-122 (USA):** This guide from the U.S. National Institute of Standards and Technology provides practical guidance on protecting the confidentiality of Personally Identifiable Information (PII), including de-identification techniques aimed at countering re-identification risks.

Winners Consulting is Taiwan's first firm to integrate ERM, industrial engineering, technology law, and data science. Led by a founder with a preventive law background, our team of tech lawyers, ISO Lead Auditors, and AI experts builds defense-in-depth mechanisms. We go beyond PIMS implementation to vertically integrate it with corporate governance and internal controls, offering tailored, non-redundant solutions for clients from semiconductors (like TSMC and MediaTek) to finance to effectively manage re-identification risks.