Beyond the Labels: How the UK and EU Approach De Identification

De-identification is often helpful to allow wider, more responsible use of data. For example, these privacy preserving techniques are often used to enable the sharing of sensitive health-related data and can help manage the careful balance between maintaining the privacy of patients while unlocking the power of the data for patient, research and societal benefits. Pseudonymisation is listed in GDPR as a factor to consider when looking at purpose limitation; both pseudonymization and anonymization are cited as safeguards for processing for research purposes. Yet the terminology can confuse more than it clarifies. 

This session will recap key cases and guidance in the EU and the U.K. on anonymization and de-identification, drawing out where the two regimes align and where they may be diverging. Both caselaw and guidance underscore the need to look at the “risk” of identification. We will examine what assessing risk means in practice, which factors should be considered, and how companies can meaningfully assess and mitigate that risk in real‑world settings.

What you will learn:

• The legal and practical distinctions between anonymization, pseudonymization and de‑identification under EU and U.K. data protection regimes. 
• How EU and U.K. case law and regulatory guidance approach identification risk, including where the regimes align and where they may be diverging.
• How companies can meaningfully assess and mitigate the risk of identification in real‑world settings.