Secure data transformation

Anonymizing data means removing personality from data. Whether or not data is anonymous depends heavily on context - and the bar is high. For instance, it’s still possible to identify a single person in a dataset containing age, length, and shoe size, even without a name or email address. So the question of whether or not data is anonymous can only be answered by considering the data and context. Under GDPR and other privacy laws, "anonymity of data" is a critical threshold. This means the data is not subject to privacy regulations, as it's not personal data.

De-identification of data is usually done by removing direct identifiers. For instance, you might remove or mask an email address when selling shoes but keep the size, brand, and model. This helps to make sure there is no personality left in your data. De-identification is not the same as anonymization - and not enough to achieve it.

Data masking is an important technique when you need to de-identify data but want to keep the patterns of a single user intact. For instance, you would mask the email in e-commerce transactions to ensure you can do sales analytics without exposing customer identities. Mind you: data masking is often insufficient to achieve data anonymization.

Key rotation means applying different keys over time when encrypting data. This is generally done for two reasons: to add a layer of security to protect data or to break patterns inside the data. You can encrypt data by applying a cryptographic function using a so-called key. A key is a random value that can later be used to revert to the original plain text data. This blurs the actual value to anyone who shouldn't be looking at it. In case of a breach, data is only valuable if you have the keys (or if you can crack them). By rotating keys, you would need a much larger set of keys to revert to the original data set.