In addition to the methods described above many industries leverage the use of de-identification, a method of protection intended to protect data at rest, to try to solve linkage problem for data in transit and use. De-identification of data refers to the process used to prevent personal identifiers from being connected or linked to a particular consumer, either directly or indirectly. There are many different de-identification techniques which represent a broad spectrum – from relatively weak to very strong techniques that can effectively eliminate privacy risk for data at rest. In healthcare, they call it tokenization. In other industries, they create “IDs”. Regardless of what it’s called, de- identification is a best practice across multiple industries as a privacy-enhancing tool for protecting data at rest. When done well, it can help companies meet their obligations under privacy regulations like CCPA, GDPR, HIPAA, and more, and build trust in the data governance practice. Beyond that, de-identification has other advantages: Data is still usable at an individual level by other groups within the business Data is usable across multiple verticals from healthcare to retail for both research and marketing purposes Demonstrates a privacy-by-design approach to legal entities should a breach occur Significantly reduces risk and impact of third-party data breaches How to Classify Each State of Identity Anonymous Pseudonymous Fully Identified Eliminates identifying Obfuscates identifying Can reveal identifying information information information Never leads to re- Can lead to re-identification Can lead to re-identification identification (with the (with the requisite data (with no effort) requisite data sources) sources) Is legally personal data (by Is not personal data Is personal data (in California, definition) (worldwide) European Union, and others) Can match against other Can never match against Can match against other records any other records records 11