• 19 June, 2025
• No Comments

Anonymisation in Action: 5 Key Steps from the APPA Guide Every Organisation Should Know

In today’s data-driven economy, organisations increasingly rely on the collection, analysis, and sharing of personal data to support decision-making and improve services. Yet this reliance comes with growing responsibility to safeguard individuals’ privacy. Recognising this, the Asia Pacific Privacy Authorities (APPA) released the Guide to Getting Started with Anonymisation at its 63rd Forum held on 11 June 2025. Developed by APPA’s Technology Working Group, the guide aims to equip organisations with a foundational understanding of anonymisation, especially when working with structured, textual, and non-complex datasets.

The guide serves as a technical primer rather than legal advice, introducing anonymisation as a risk-based process that requires both contextual awareness and technical proficiency. While anonymised data often falls outside the scope of privacy laws, the guide cautions that achieving genuine anonymisation is complex. Organisations must therefore take deliberate steps to manage re-identification risks while preserving the utility of their datasets.

Understanding the anonymisation process

At the heart of the guide is a five-step framework designed to help organisations structure their anonymisation journey. The first step, “Know your data,” involves identifying all attributes in a dataset and classifying them as direct identifiers (such as names and identification numbers), indirect identifiers (such as dates of birth and postcodes), or target attributes (such as medical diagnoses or customer behaviour). This classification sets the foundation for informed decision-making about data handling.

The next step is to remove direct identifiers. These are the most explicit forms of personal information and should be excluded from the dataset or replaced with pseudonyms. However, pseudonymised data is still considered personal data under many privacy frameworks and must be treated with appropriate safeguards.

The third step involves applying anonymisation techniques to indirect identifiers. These techniques include masking, generalisation, suppression, data swapping, and adding noise, among others. For instance, in the guide’s case study involving a gym (Vivogym), customers’ birthdates were generalised to birth years and postcodes were partially masked. These techniques strike a balance between reducing identifiability and preserving analytical value.

Evaluating and managing re-identification risks

After applying anonymisation techniques, organisations must evaluate how effectively the data has been anonymised. The fourth step of the process is risk assessment. The guide introduces tools like k-anonymity, which measures the minimum number of records sharing the same combination of indirect identifiers. A higher k-value indicates a lower re-identification risk. In the gym case study, records with low k-values were identified as potential outliers and were either removed or modified to improve the overall anonymity of the dataset.

Another important method recommended is the “motivated intruder” test, which considers whether a reasonably competent individual with access to public or commercial data could re-identify someone in the anonymised dataset. This practical perspective reinforces the importance of context when assessing privacy risks.

The final step is to manage any remaining risk. Even after anonymisation techniques are applied, residual risks may persist. These should be addressed through technical controls, such as access restrictions, legal agreements that prohibit re-identification attempts, and governance measures that document and review the anonymisation process. In the Vivogym case, access controls were implemented at the marketing partner’s end, and contractual clauses were introduced to restrict use and mandate deletion of the data after its intended purpose was achieved.

Building a sustainable anonymisation practice

The guide does not treat anonymisation as a one-time action but stresses the need for continuous monitoring and reassessment. Over time, new technologies or datasets may emerge that could compromise previously anonymised data. Therefore, regular reviews are recommended to ensure anonymisation techniques remain effective and aligned with the evolving data environment.

To support organisations in developing sustainable practices, the guide refers to the ISO/IEC 27559 standard, which outlines a comprehensive framework for data de-identification. This includes four key areas: context assessment, data assessment, identifiability assessment and mitigation, and governance. These components help organisations consider not just the data itself, but also the environment in which it is shared and used.

The guide also highlights jurisdiction-specific resources from countries such as Singapore, Australia, Japan, and South Korea. These provide more detailed guidance on legal definitions and expectations regarding anonymisation and pseudonymisation. For example, Singapore’s Personal Data Protection Commission (PDPC) provides technical guides and free anonymisation tools to support local compliance efforts.

The inclusion of a realistic case study reinforces the practical application of the guide. In the Vivogym example, the five-step framework is used to anonymise customer data before sharing it with a marketing partner. Each stage is documented, from identifying and classifying data attributes to applying generalisation and masking, computing k-anonymity, and implementing safeguards. The case illustrates that it is possible to protect privacy without sacrificing the usefulness of data for legitimate business purposes.

Advancing data responsibility in the Asia Pacific

The Guide to Getting Started with Anonymisation is a timely and valuable contribution by APPA to help organisations navigate the complexities of privacy protection in the digital age. Through its clear, step-by-step process and alignment with international best practices, the guide empowers organisations to adopt anonymisation as a responsible and strategic component of their data management.

While anonymisation is a technically and contextually demanding process, this guide lays a strong foundation for building internal capability, reducing regulatory risk, and strengthening trust with data subjects. By embedding anonymisation into regular data practices, supported by sound governance and ongoing risk assessment, organisations in the Asia Pacific region can move beyond compliance and embrace a more proactive, ethical approach to data privacy.

To explore the full guide, visit the PDPA website. For more practical tips on safeguarding your organisation’s data and staying ahead of privacy trends, subscribe to Privacy Ninja’s weekly newsletter by entering your email at the bottom of our website and follow our page for the latest updates.