An important aspect of data protection is data anonymity---allowing statistical knowledge to be obtained from data while protecting individual data. GDPR considers anonymised data to no longer be personal data, and as such does not need to be protected. GDPR also expects national bodies to establish certification programs, including for anonymisation. It is, however, very difficult to know when data is adequately anonymised, and therefore difficult to establish certification programs for anonymity. This panel explores the problems and initial steps towards anonymisation certification. The panel includes data owners, data controllers, Data Protection Authorities (DPA), anonymisation technologists, and privacy legal scholars. From these various and differing perspectives, the panel will describe the state of DPA certification programs, and explore the extent to which anonymisation can truly be determined, methods for doing so, and the role that risk assessment plays.
• What are the GDPR requirements for certification programs for anonymisation?
• What is the status of anonymisation certification programs?
• What are the technical and legal challenges for anonymisation certification?
• What role does risk assessment play in anonymisation certification?