I often see people talking about anonymization in situations where it’s not even necessary—sometimes, a simple data removal or pseudonymization would be more than enough.

It’s a broad topic, and I won’t pretend to cover everything in a single post. So I’ve decided to highlight some key concepts and methods, explained in a simpler way for those who aren’t deep into the tech side.

Anonymization refers to the process of irreversibly transforming personal data so that it can no longer be linked to a specific individual—not even when combined with other datasets, as long as any additional information is kept separate. According to modern privacy regulations, anonymized data falls outside the scope of data protection laws, since it’s no longer considered personal data.

In other words, anonymized data is not personal data.

Pseudonymization, on the other hand, means replacing direct identifiers with pseudonyms, while still maintaining an indirect link between the data and the individual—typically through encryption keys or other secure mechanisms. Unlike anonymization, pseudonymization allows for re-identification under controlled conditions, which means the data still falls within the scope of data protection laws.

In short, pseudonymized data is still personal data.

Think of anonymization like shredding a document and letting the pieces scatter in the wind—there’s no way to put it back together. Pseudonymization, however, is more like placing a fake label over someone’s name—if you have the key, you can still figure out who it is.

Data minimization is a core principle of privacy by design. It requires that only the data strictly necessary for a specific purpose be collected, stored, and processed. This helps avoid collecting irrelevant information and reduces the risk of data breaches.

Back in the 1990s, the Massachusetts Group Insurance Commission (GIC) decided to release hospital records for research purposes. These records were considered anonymous because direct identifiers like names and addresses had been removed. The assumption was that, without these details, it would be impossible to identify the individuals behind the records. But that assumption turned out to be very wrong.

A researcher named Latanya Sweeney1, then a graduate student at the Massachusetts Institute of Technology (MIT), decided to investigate whether it was possible to reidentify individuals in this supposedly anonymous dataset. She realized that even without names or addresses, other attributes—like date of birth and gender—could potentially be cross-referenced with public records. And that’s exactly what she did.

Sweeney accessed a public voter database from the city of Cambridge, which included names, addresses, birthdates, and gender. By cross-referencing that with the anonymized hospital records, she was able to reidentify multiple individuals—including the governor of Massachusetts at the time, William Weld.

As anonymization techniques evolved, more advanced concepts like k-anonymity, l-diversity, and t-closeness emerged. These models address the growing challenges of protecting privacy in large datasets, especially as traditional techniques like removing direct identifiers often fall short in preventing reidentification. The goal is to strike a balance between protecting individuals’ privacy and preserving data utility for analysis.

These methods are widely used by organizations that process personal data, such as hospitals, financial institutions, and government agencies. In these sectors, where handling sensitive data is part of daily operations, ensuring individual anonymity is both a technical and ethical requirement—and often a legal one. For example, when data is shared for scientific research or public policy development, it's critical to ensure that personal information cannot be traced back to individuals.

That’s why professionals like data engineers, data scientists, and privacy specialists play a key role in planning and applying these techniques.

P.S.: Movie tip — ANON on Netflix: https://www.netflix.com/title/80195964

The concept of k-anonymity requires that each record in a dataset be indistinguishable from at least k−1 other records with respect to a set of quasi-identifiers, such as age or gender. This model was initially designed to prevent basic reidentification attacks. However, on its own, it doesn't address issues like lack of diversity within equivalence groups—especially when sensitive values are uniform across a group. To overcome this limitation, l-diversity was introduced.

l-diversity builds on k-anonymity by requiring that sensitive values within each equivalence group be sufficiently diverse. This means that even if someone identifies an individual’s group, they still can’t easily guess the person’s sensitive data. Still, l-diversity isn’t bulletproof—especially when attackers exploit semantic relationships between values. That’s where t-closeness comes in.

t-closeness raises the bar by requiring that the distribution of sensitive values within each group be statistically close to the overall dataset distribution, according to a defined distance metric. This is especially relevant when statistical analysis alone could expose patterns that compromise privacy.

Together, these three concepts form a solid technical foundation for protecting personal data—something essential for any organization looking to balance individual privacy with the need to extract insights from large datasets.

Explaining all this with math isn’t the point here—so how about we use some real-world examples instead?

k-anonymity:

Imagine you’re at a costume party with hundreds of people, and everyone is dressed exactly the same—as pirates, with identical masks and outfits. In that setting, it’s impossible for anyone to single you out, even if they know you’re there, because so many others look just like you. That’s the basic idea behind k-anonymity: making sure you’re part of a group of k people who are indistinguishable from each other, making it much harder for someone to identify you based on available information.

Now, picture an investigative reporter trying to figure out who attended the party. He finds out that all the guests filled out a form with three details: age, city, and profession. Without k-anonymity, it would be easy to cross-reference that information and pinpoint who you are. But if the data were structured so that at least k-1 other people shared those exact same traits, it would be a lot harder for the reporter to figure out your identity.

It’s like the masked ball playing out in the data world—your privacy is protected by a shared “disguise” that makes you blend in with the crowd.

l-diversity:

Imagine a vault that holds important secrets from different people. Each person is assigned to a group based on similar traits—like “likes sports” or “owns a blue car.” Now, let’s say someone figures out the group you belong to. If everyone in that group shares the exact same secret—like “owns a blue car”—then just knowing your group is enough to guess your secret. That’s the flaw in relying on k-anonymity alone. And that’s where l-diversity comes in.

With l-diversity, the vault is reorganized so that each group contains at least l different secrets. So even if someone knows which group you’re in, they still can’t tell which secret is yours—because there are multiple possibilities. For example, your group might include people whose secrets are “likes sports,” “collects stamps,” or “loves dogs.” That way, even if the group is known, the specific secret tied to each person stays hidden.

It’s like mixing the secrets well enough to keep any curious eyes guessing.

t-closeness:

Imagine you’re in a room full of people chatting about their favorite music genres. The crowd is loosely grouped by similar tastes—rock, pop, or jazz. Now, if each group is too small or lacks variety, someone listening in could easily guess your personal preference just by knowing which group you're in. Even if there’s some diversity, if a group’s conversation is very different from the rest of the room, it might still reveal something specific about you. That’s where t-closeness comes into play.

With t-closeness, each group’s music discussion is carefully balanced so that the distribution of genres within the group closely mirrors that of the entire room. So, if 30% of the room likes rock, 40% pop, and 30% jazz, then each group would have a similar mix. This way, even if someone knows what group you’re in, they can’t learn much about your personal taste—because your group looks just like the room as a whole.

It’s like making sure the conversations blend into the overall noise of the room, so no one can single you out just by listening from a distance.

These techniques—k-anonymity, l-diversity, and t-closeness—act like invisible layers of protection that make individual data harder to identify or exploit, helping preserve privacy even when massive datasets are being analyzed. At their core, they strike a balance between utility and protection, allowing valuable information to be used for research, public policy, or product development—without exposing anyone’s identity.

If you’re interested in diving deeper into this topic, I explore this and much more in my book Privacy for Software Engineers, available on Amazon:

📚 https://www.amazon.com/dp/B0DZBM7JVV

Thanks!