Graham Thompson

 ·  12 min read

Safeguarding PII With Data Anonymization

In modern business, data is everything. It's the heart of digital services, the lifeblood of innovation. In many ways, data is now its own form of currency. Given its importance across just about every vertical industry, organizations of every size and stripe now find themselves collecting an unprecedented amount of information detailing every activity, every encounter, every transaction, and more.

In modern business, data is everything. It's the heart of digital services, the lifeblood of innovation. In many ways, data is now its own form of currency. Given its importance across just about every vertical industry, organizations of every size and stripe now find themselves collecting an unprecedented amount of information detailing every activity, every encounter, every transaction, and more.

Thanks in part to digital transformation and the ubiquity of cloud computing, something like 329 exabytes (that’s 329 million terabytes) of data are now generated and stored worldwide every day. By 2025, humans will be generating close to 200 zettabytes per year. Within that mind-boggling mountain of data lives a massive and growing amount of PII, or Personally Identifiable Information.

PII refers to data that could potentially identify a specific individual. Any piece of information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can fall under the category of PII. This includes names, physical addresses, email addresses, Social Security numbers, passport numbers, driver's license info, credit card accounts, date of birth, financial information, and the like.

So what’s the problem? That trove of sensitive personal data is now under siege by cybercriminals who covet such information for its tremendous value in various illegal activities such as fraud and identity theft.

Because of its abundance and its vulnerability to misuse, safeguarding PII is now a top priority for security professionals tasked— often by legal mandates — with protecting the privacy of many millions of ordinary citizens. When it comes to PII, any breach can lead to serious legal implications, steep fines, and damage to the organization's reputation. Security teams now devote significant time and resources to keeping PII safe and unmolested.

Near the top of the PII defender's toolkit are a variety of data anonymization techniques, such as data masking, data pseudonymization, data generalization, data perturbation, and data swapping. Knowing how each of these disciplines works and how they are best employed is key to avoiding damaging and potentially expensive compromise of private information.

Why PII Protection Matters

With so much data being collected globally today, PII is everywhere. Government agencies collect PII to maintain records and implement programs. Healthcare organizations gather PII for patient care, research, and insurance claims. Educational institutions require PII to track student progress, ensure safety, and comply with federal regulations. Financial institutions, including banks and credit card companies, collect PII to verify identities, prevent fraud, and provide personalized services. Retailers and online service providers collect PII to facilitate transactions, deliver services, and customize marketing strategies.

Protecting all that sensitive info takes a holistic security approach: Encryption and firewalls, data handling policies and procedures, tight access controls, and diligent schedules for proper disposal of expired data all play a role. Data manipulation techniques like anonymization are especially indispensable in privacy protection.

Organizations are motivated to protect PII in part because such efforts are vital for maintaining trust with customers and stakeholders. PII protection is also increasingly focused on avoiding expensive and embarrassing legal liabilities. In the United States, for example, organizations that collect and store PII must comply with federal and state laws such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare information, the Family Educational Rights and Privacy Act (FERPA) for educational records, and the Gramm-Leach-Bliley Act (GLBA) for financial information. Failure to comply can result in fines, legal action, and lasting damage to an organization's reputation.

The Many Flavors of Data Anonymization

The imperative for protecting PII has never been higher. Consider the case of Equifax in 2017, which suffered one of the most damaging PII breaches in history. Attackers leveraging several vulnerabilities in the credit reporting giant's systems pilfered PII on some 143 million people. That stolen data included names, addresses, dates of birth, Social Security numbers, and drivers’ license numbers and, ironically, about 200,000 credit card numbers from customers who had paid Equifax in order to see their own credit reports. All of this data was stored in its original form, easily discoverable and clearly readable to the four Chinese hackers the U.S. Department of Justice blames for the caper.

In addition to damaging its reputation, Equifax suffered over $700 million in fines and settlements with 50 U.S. states and territories, the U.S. Federal Trade Commission, the U.S. Consumer Financial Protection Bureau, and the U.K.'s Financial Conduct Authority.

Clearly, sitting on huge piles of sensitive — and loosely protected — personal information is problematic; it's also increasingly common in just about every industry, particularly finance, retail, legal, and the motherlode of PII today, healthcare. In addition to the multi-layered security approach we talked about earlier, data anonymization plays a crucial role in keeping protected PII away from unauthorized users and prying eyes.

Some ways security professionals can leverage anonymization to minimize exposure of PII include:

Data Masking

Data masking protects PII by obscuring specific data within a database and altering certain data elements such as SSNs, credit card numbers, or addresses to maintain data privacy while ensuring the usefulness of the information for data analytics or testing. The original data can't be re-engineered or re-identified, ensuring robust protection.


Consider a financial institution database containing customer information that includes fields like name, ID number, and transaction history. To protect this sensitive PII, the bank could employ data masking whereby SSNs can be obscured, with only the last four digits remaining visible (e.g., XXX-XX-6789). A similar effect can be achieved by scrambling account numbers or shuffling transaction types across the entire data set. In this way, the data remains useful for data sharing or analysis while all but eliminating the risk of compromising individual privacy.

Tips for Implementing Data Masking for PII:

Implementing data masking for PII is a critical step in data security, particularly when it comes to leveraging data anonymization in a development testing environment. Some recommendations to make this process more effective include:

  • Map the data. Know which data elements are sensitive and must be masked. Often, this includes information like names, email addresses, phone numbers, and financial details.
  • Use consistent masking techniques. Ensure the same masking techniques are applied across all data environments (development, testing, production) for consistency.
  • Opt for both static and dynamic masking. Use static masking for non-production environments and dynamic masking for production environments to maintain data utility while ensuring privacy.
  • Automate processes. Automate the data masking process where possible to reduce human error and improve efficiency.
  • Regularly review and update. As new types of PII emerge and regulations change, regularly review data masking techniques to ensure they remain effective and compliant.

Data Pseudonymization

Data pseudonymization involves replacing private identifiers with false identifiers (or pseudonyms) while still maintaining a specific identifier that allows access to the original data. While pseudonymized data can't identify an individual without additional information, it retains all of its functionality for statistical analysis and testing.


A simple example of data pseudonymization in practice can be found in the handling of customer data in a retail database. In this scenario, each customer's name, which is considered PII, is replaced with a unique identifier or pseudonym. For instance, the name "John Doe" could be pseudonymized to "Customer12345." This way, any individual with access to the database will not be able to identify the customer by name, while the data remains useful for the company's statistical analyses and business operations.

Tips for Implementing Data Pseudonymization for PII:

When implementing data pseudonymization to protect PII, consider the following:

  • Use strong and irreversible pseudonyms. The pseudonyms used should be random, unique, and not derived from the original data. This makes it difficult for bad actors to trace and revert back to the original data.
  • Store pseudonyms safely. The mapping between the original data and the pseudonyms should be stored safely, separate from both the pseudonymized data and the system using it.
  • Limit access to pseudonyms. Only a select few within the organization should have access to the pseudonymous mapping. This reduces the risk of internal data misuse.
  • Perform regular audits. Regularly audit your pseudonymization practices to ensure they are up-to-date and aligned with the latest privacy regulations.
  • Encrypt pseudonymous data. To add an extra layer of protection, consider encrypting the pseudonymized data.

Data Generalization

Data generalization protects sensitive information by reducing the precision of data. Instead of having a precise address, for instance, a data generalization schema might replace it with a more general location, such as the city or state. This method reduces the risk of identity exposure while preserving the data's overall integrity.


Data generalization is widely used in healthcare to maintain patient privacy. When sharing patient data for research, specifics such as exact age or address are often generalized. Rather than specify a patient as 29 years old living at a specific street address, the data might be generalized to indicate the patient is in their 20s and resides in a particular city. This method retains the utility of the data for large-scale analysis yet reduces the ability to trace the information back to an individual.

Tips for Implementing Data Generalization for PII:

When implementing data generalization to protect PII, consider the following:

  • Strategize generalization levels. The first step in implementing data generalization is to decide the level of generalization required for each type of data. The more sensitive the data, the higher the level of generalization should be.
  • Use software tools. Several software tools are available that can automate the process of data generalization. These tools can be extremely helpful in maintaining the integrity of the data while ensuring privacy.
  • Test before implementing. Before fully implementing a data generalization strategy, test it on a small subset of the data to verify the process works as expected without negatively impacting the utility of the data.
  • Conduct regular audits. Like any data protection strategy, data generalization should be audited regularly to ensure it effectively protects PII. Audits also help to keep the strategy up-to-date with current data protection laws and regulations.

Data Perturbation

Data perturbation modifies the original data set by applying specific algorithmic transformations such as rounding, swapping, or adding data "noise." This technique retains the statistical properties of the data, ensuring its usefulness for research or analysis while making it challenging to identify individuals.


Consider the example of a healthcare database containing patient details such as age, zip code, and medical conditions. Applying data perturbation for PII protection might involve adding random noise to the age of the patients. For instance, if a patient's age is 30, the perturbation process could modify it to 29 or 31. This alteration is insignificant from a statistical analysis perspective, as it doesn’t notably shift the mean or median age values. However, it adds an extra layer of privacy as it makes it difficult to associate a specific age with an individual patient.

Tips for Implementing Data Perturbation for PII:

When implementing data perturbation to protect PII, consider the following:

  • Choose appropriate techniques. Depending on the sensitivity and utility of the data, decide whether rounding, swapping, or noise addition is the most suitable perturbation method. Each technique has its strengths and limitations.
  • Use reliable software tools. There are numerous software tools that can assist in applying data perturbation consistently with an eye toward maintaining maximum data utility for future analysis.
  • Test and retest before implementing. Because perturbation can sometimes push individual results across data bin boundaries (affecting statistical analysis results down the road), it's especially important to carefully test the method on a small set of data before rolling it out to the entire database at large.

Data Swapping

Data swapping, also known as permutation, is a data anonymization technique where values of data are swapped between records. This technique ensures that the individual data points become unidentifiable, protecting sensitive information while the overall statistical validity of the data remains the same.


Let's imagine a dataset containing records of subjects in a large medical research facility. The data contains information such as age, gender, city of residence, medical conditions, and trial outcomes. In order to protect the subjects' privacy, data swapping is a good option. Here's how that works: The city of residence in record 10 (originally "Houston," let's say) could be swapped with the city of residence in record 50 (originally "San Diego"'). Likewise, the age in record 20 (originally "45 years old") could be swapped with the age in record 30 (originally "60 years' old"). This way, the identities of the individuals are obscured, but the overall distribution of ages and cities in the dataset remains the same.

Tips for Implementing Data Swapping to Protect PII

  • Understand the data. Before initiating the process of data swapping, it's essential to understand the nature of the data. Analyze the information thoroughly to identify sensitive fields that require permutation.
  • Identify suitable variables. Not all variables can be swapped without damaging the utility of the information for later analysis. Choose the variables that will not distort the data's underlying structure or relationships among variables. Variables targeted for segmentation or cross-tabulation are generally off-limits.
  • Set a swapping ratio. Determine the proportion of data that will be swapped. This should be balanced — too much swapping can compromise data utility, while too little may not provide sufficient anonymity.
  • Use robust algorithms. When implementing data swapping, use reliable and robust permutation algorithms that can withstand potential attempts to reverse the process and reveal true identities.
  • Iterate. If the results of the permutation are not satisfactory, iterate the process until an acceptable level of data privacy is achieved without compromising data utility.

Conclusion: Data Anonymization a Key Piece of the PII Protection Puzzle

Clearly, data anonymization techniques can play a crucial role in protecting PII data while ensuring it remains useful for analysis, development, testing, and research. Security experts must be thoroughly familiar with these anonymization techniques, recognizing their importance in securing today's data-driven businesses with their target-rich environments for would-be data thieves. Data masking, data pseudonymization, data generalization, data perturbation, and data swapping represent key tools in the toolbox of any security expert dedicated to protecting PII. The appropriate application of these methods can help to ensure the privacy and security of sensitive data while fulfilling all of the organization's ethical and legal obligations and maintaining the analytical utility of the information in question. And keep in mind that data anonymization is a dynamic methodology. As technologies — and threats — continue to evolve, so too will the techniques for protecting sensitive, private info.

The Role of Privacy Dynamics

Privacy Dynamics is helping companies achieve the delicate balance between empowering developers and ensuring stringent data security. We’re designed to streamline and strengthen the process of protecting sensitive data in development environments.

One of the key offerings from Privacy Dynamics is our data anonymization solution. This enables companies to use realistic data in development and testing environments without exposing sensitive information. By replacing actual data with anonymized versions, developers can work with data that maintains the integrity of the original dataset while ensuring that personal information is kept secure. This approach is particularly beneficial for organizations that must comply with stringent data protection regulations like GDPR, as it helps maintain privacy without hindering development.

Privacy Dynamics also provides data masking capabilities essential for organizations handling sensitive customer or business information. Data masking ensures that while the structure of the data remains intact for development purposes, the actual content is obscured to prevent unauthorized access or exposure. This tool is handy in scenarios where developers need to work with data that resembles real-world datasets but does not require access to the actual sensitive data.

Additionally, our solutions are designed with ease of integration in mind. They can seamlessly integrate with existing data storage and management systems, reducing the burden on IT teams and minimizing disruption to existing workflows. This ease of integration is crucial for organizations looking to implement robust data security measures without compromising efficiency and productivity.