Business organizations are increasingly adopting data anonymization measures to manage personal data for effective analysis, research and decision-making. However, while anonymization is intended to protect privacy by transforming personal data into a form that no longer identifies individuals, advancements in modern data analytics have increased the possibility that such datasets could be re-identified. Both regulatory authorities and organizations should therefore evaluate their approaches for rendering data non-identifiable to ensure the proper protection of data subjects’ personal information.
The concepts of anonymization or personal data de-identification, pseudonymization and erasure are closely related. To avoid confusion, it is necessary to clearly distinguish their definitions, as each carries distinct legal implications.
Under Recital 26 of the European Union's General Data Protection Regulation (“GDPR”), anonymization is the process of rendering data in such a way that it can no longer be linked to any specific individual by any reasonable means. On the other hand, pseudonymization, as defined in Article 4(5) of the GDPR, refers to the processing of personal data in which direct identifiers are replaced with reference information, such as codes. While this prevents direct identification, the data can still be linked back to the data subject if additional information is accessible. Accordingly, such data continues to be classified as personal data because there remains a possibility of identifying the data subject at a later stage. With respect to erasure, although it is not explicitly defined, it may be carried out through various methods; however, the data must no longer be accessible, visible, or capable of being recovered by any means.
Anonymization may be regarded as a data security measure that supports the objective of maintaining data confidentiality. However, anonymization is not equivalent to data erasure, as there remains a possibility that anonymized data could still be used to re-identify individuals. Similarly, pseudonymization is merely one technique for securing data by reducing its linkability to individuals, but it is insufficient to render data truly anonymous.
Although the Personal Data Protection Act, B.E. 2562 (2019) (“PDPA”) grants data subjects the right to request the deletion, destruction, or de-identification of their personal data, it does not clearly define the methods or criteria for such actions. To address this gap, the Personal Data Protection Committee (PDPC) issued the Notification on the Criteria for Personal Data Deletion, Destruction, and De-identification pursuant to Section 33 of the PDPA. This Notification came into force on 11 November 2024, and sets out the obligations for data controllers, including the following:
1. 90-Day Compliance Period: Data controllers must act upon data subject requests to delete, destroy, or de-identify within 90 days, covering all copies and backup data. If immediate execution is not feasible, appropriate measures must be implemented to prevent access or disclosure of the data during the interim period.
2. Anonymization Standards: There must be a process for removing all direct identifiers (e.g. names, ID numbers, contact details) as a first step. This must be followed by additional safeguards, such as pseudonymization or other protective measures, to ensure that the data cannot be re-identified through indirect identifiers, thereby reducing the possibility of re-identifying the data subject to a sufficiently low level.
3. Alternative Methods: If a data controller opts to implement alternative methods (e.g. de-identification instead of deletion), they must notify the data subject. This requirement, however, does not apply where the request arises from the unlawful data processing by the controller. In such cases, the data controller is required to delete the data in accordance with the data subject’s request.
4. Ongoing Monitoring: In addition to requiring data controllers to respond to data subjects’ requests to delete, destroy, or de-identify their personal data, data controllers are also obliged to implement a monitoring system for deletion or destruction of personal data in accordance with Section 37(3).
A case from the UK Information Commissioner’s Office (ICO) demonstrates that effective anonymization can be achieved through multi-layered safeguards and third-party oversight. In this example, a retail company (PriceSavvy) sought market-level insights using transactional data held by another company (Market Lens). Both companies engaged a trusted third party (TTP) in order to avoid the disclosure of identifiable data. Each company first pseudonymized its data by removing direct identifiers using hashing and transferred it to the TTP. Then, the TTP applied additional safeguards, such as secondary hashing, aggregation, generalization, and noise injection. Importantly, the TTP never combined or shared raw data with either party, instead providing only aggregated insights that could not identify individuals.
This case illustrates how role separation and layered anonymization techniques can help organizations comply with strict privacy standards, particularly under Thailand’s PDPA, which focuses on the minimizing the risk of re-identification. It is therefore valuable for data controllers seeking to strike a balance between data analysis and responsible data management.
In conclusion, anonymization is becoming increasingly complex, both technically and legally. Data controllers must proceed with greater caution, transparency, and accountability. Compliance is no longer merely about ticking boxes, but it is a substantive obligation to protect data subjects. Organizations that align their practices with both local and global standards not only reduce legal risks but also foster trust in how they handle and protect personal data.
