0

I want to create an anonymized version of a table where one of the id fields (long) needs to be anonymized.

The table is queried by a huge number of different business stake holders so I would prefer to not change the field type in order to minimize SQL changes for consumers.

I guess it requires some sort of HMAC like hash algorithm with a secret that makes the mapping fully one-way after the secret is deleted/forgotten.

This sounds like something that one should not roll yourself.

It has to be secure and have very few collisions.

Is there something recommended by GDPR specialists?

Or is this not really possible? (We will need to change the field to a larger "string" field)

Jeroen Dirks
  • 7,705
  • 12
  • 50
  • 70
  • It's not very clear what you're asking for, and you've not shared any code. GDPR doesn't specify any particular limit because it doesn't concern itself with implementation details. That said, the usual thing to use for unguessable IDs is a type-4 (random) UUID, or ULID if you want to retain creation order. To make a "destructible" relation, you could link to the anonymised version of the table via an intermediate table, where deleting the link record would irreversibly disconnect the two. FWIW, the usual ballpark for anonymisation via differential privacy is about 1 in 5,000. – Synchro Feb 01 '23 at 15:42

0 Answers0