Data anonymization and GDPR | Hackademy _ | Skillshare

Playback Speed


  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Lessons in This Class

6 Lessons (48m)
    • 1. 1.1) Privacy and personal data

      5:59
    • 2. 1.2) Privacy in Health

      5:32
    • 3. 1.3) Legislation

      4:54
    • 4. 1.4) GDPR

      13:10
    • 5. 2.1) Anonymization process

      9:15
    • 6. 2.2) Techniques to Anonymise Data

      8:58
  • --
  • Beginner level
  • Intermediate level
  • Advanced level
  • All levels
  • Beg/Int level
  • Int/Adv level

Community Generated

The level is determined by a majority opinion of students who have reviewed this class. The teacher's recommendation is shown until at least 5 student responses are collected.

28

Students

--

Projects

About This Class

Data anonymization is a type of information sanitisation whose intent is privacy protection. It is the process of either encrypting or removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous:

  • Learn how to apply methodologies to anonymise your data and keep users secure.¬†

  • Use specialized software to anonymise your data¬†

  • Techniques to Anonymise Data

  • Generate random data¬†

The European Union's new General Data Protection Regulation demands that stored data on people in the EU undergo either an anonymization or a pseudonymization process, learn about:

  • Privacy,¬†personal data¬†and according legislation

  • Privacy in Health

  • The EU General Data Protection Regulation (GDPR) that¬†is the most important change in¬†data privacy regulation in 20 years

Meet Your Teacher

Teacher Profile Image

Hackademy _

Visit us at http://hackademy.ydns.eu

Teacher

In the true sense of the word hacking is about exploring, understand how things work and we can change them in order to make them operate as we want too.

See full profile

Class Ratings

Expectations Met?
  • Exceeded!
    0%
  • Yes
    0%
  • Somewhat
    0%
  • Not really
    0%
Reviews Archive

In October 2018, we updated our review system to improve the way we collect feedback. Below are the reviews written before that update.

Why Join Skillshare?

Take award-winning Skillshare Original Classes

Each class has short lessons, hands-on projects

Your membership supports Skillshare teachers

Learn From Anywhere

Take classes on the go with the Skillshare app. Stream or download to watch on the plane, the subway, or wherever you learn best.

Transcripts

1. 1.1) Privacy and personal data: first, I would like to thank you for acquiring this course. It will be focused on privacy and personal data adapted to their needs self today and also some concepts and technologies, methodologies and also software that the best understand are these concepts work. Okay, so let's start with the broad idea just to check what we're talking about. Well, privacy. According to the Cambridge Dictionary, it's someone's right to keep their personal matters and relationships sex secret. Well, ofcourse, among other things. Privacy, in fact, is the right to safeguard our life and information and keep our information private. According to the Article 12 of the Universal Declaration of Human Rights, no one shall be subjected to arbitrary interferences with his privacy, family, home or correspondence, nor to attack upon his honor and reputation. Everyone has the right to the protection off tell against such interferences. Varitek. Unfortunately, this does not apply to everyone, but it lead us to the question question. Is there a liberty without privacy? And what about democracy? Because in fact, if we don't have the right to keep our life private, to think on our own okay, democracy works because democracy, the principal off the democracy. It's dead. Everyone has a right to their opinion. So therefore, privacy. It's the keystone off democracy, among other features, and these leaders to an example off China that has been building what it cost. The world's biggest camera surveillance network secret across the country, with 170 million CCTV cameras are already in place than estimated 400 million new ones will be installed in the next three years. Many off the cameras are fitted with artificial intelligence, including festival recognition technology. There's this short documentary by Johns said, worth from BBC, where he goes to these police control room and they said the control room to try to catch him. And after seven minutes off, leaving the premises, they catch they catch him just by using the technology with the CCTV cameras. Delink is under description and it's ah must see for this kind of subject that we're talking about over here now. The term personal date them the personal data. It's any information that relates to a needed to fight. Already the Inter filed living individual. It could be different business off information which collected together can lead to the identification off a particular person also constitute the personal data. These are known as that quasi did the first that we will see on the next slide a personal data that has been didn t fight, encrypted or upset, minimized but can be used to read, identify person, reminds personal data and falls within the scope of the law. We are going to see some techniques to anonymized data. But nevertheless, if the if the light is an anonymized, it does not mean that it's not related toe an individual and that it is not personal data. Also, personal data that has been rendered anonymous in such a way that the individual is not are no longer identifiable. It's no longer comes their personal data for data to be truly an atomized, then an imitation must be a reversible. And these really this to the next study. Also just a quick note for examples off personal datum. No personal data might be for a name is her name and no mattress and email address and, for example, if you have an email address on the company and the name address their email addresses something like your name, dot surname. Even when you leave the company. You still have the right to access your bet. Email because they will. In fact, it's a bit off a personal data because it has your name and your surname. Now we were talking about the quality of the fires. Was identifiers are pieces of information that are not off themselves. Unique identifiers the Tarsus, if sufficiently well correlated with an entity that it could be, combine it with other question. Did the first degree yet a unique identifier? So the best better give you an example. For example, Ah, Dr Lieutenants Union has shown that even though neither jet with general birth dates or postal codes unique, identified an individual, the combination off paltry is enough to identify 87% off individuals in the United States. And this process is called the read identification, and this is a quantitative fire sees a term an element that does not relate directly to someone. But when combine it with other quasi identifiers, most likely will be enough to identify someone 2. 1.2) Privacy in Health: Let's give a quick look. It's that the privacy when it comes to health care now it's a known fact that most people, they did not tell their doctors everything that they should. So they tried to omit some some things that they are afraid to be recorded and that might play against him and infect one off the moment reasons start clinical datum like disabled, disabled date. The genetic psychiatric are used in shirt, even within a single hospital. No, let's try to understand why people did not. Most of the time, they did not like to tell everything to their doctors. In fact, they deliberately omit personal and our family information that might be important to the medical history and sometimes some off them the evil they even up to try to some self treatment and self medication instead, off asking for medical help. They can even pay for certain types of treatments in cash. We're talking about imagine illegal abortions, and they lied to the help professional. So So we don't some people as we don't want the doctors to know everything about us and some of them. They can evil travel to various several hospitals and our centers, but they can simply ask the doctor not to record to keep on track certain types off clinical and information on Dwight today do this. We can see these into broad groups while we have the youngest that they when concerns, it's, for example, it and want in pregnancy and in turn off them girls. Mostly they don't want their fathers to find out about the pregnancy. They said they asked the doctor they try simply to try them. At least at one point. They will know about it right and also similarly for mission clinical information like psychiatric diseases, generative diseases wherever may ever. Maybe a problem when it comes to find a new job because I mean doesn't play good to anyone to know that the future boss knows that we we might have some health. Ah, issue, however, disease a bit off a contra since because most younger state whoever they adopt the risky behavior on social networks. So some off them they tried to write information to the doctors, but they don't have much problems into posting some sensitive information online. Nevertheless, adults on the other and odd ALS are concerned about their employability also their jobs. So as some off the younger also that health insurance. Because all teachers companies day will most likely get access to the information to the medical information. So and the Israel reflect directly on the price that they will have to route to pay, do their life insurance. We also have the social stigma, I mean, psychiatric diseases. No one likes to know that everybody knows that we have some issue that cannot be solved that has not solved. And also there's a financial and psychological impact off decisions that may be taken as a result. Off the analysis off the clinical data. And we were talking about this life insurance. Also, when we want to buy a house, we must ask for the bank for some money, and if we have some clinical bait them that might give us away when my not be a good idea to have that kind off information read, Carter's. Nevertheless, this kind of papers be eight years. They are potential armful, mostly to those who are these kind off information, because they make it difficult to provide the best health care possible. So in the end, this does not play well to the the patients that ideas information away. And in fact, by using such a control strategies over the personal information, patients significantly decreased the quality off medical records in general. So this does not play well only for the person for the person who does this, but also in a general sense, okay. And also we have the confidence off the user in the security off. Their data is therefore essential for the health off the own ones and for the society in general. And this is where GDP Air plays a big role because it tries to safeguard mostly the user date and to use the best practices in order to keep that they're safe and try to mitigate this kind off. Ah, position. That's, um, patients do steal F. 3. 1.3) Legislation: we are going to review sometimes off legislation. However, we are focusing more on the European and Western legislation now. Legislation, well, the right to privacy become an international human right before it was nationally well established for them at the right. And these mostly happened after the World War two because the state's finally noticed that the right to privacy must be written, must be recognized as an international human right. And it must be also included in any state constitution, because the problem with T states that Dictatorships, it's where people they did not ever right to privacy. They did not ever the right to think on their own, and these way led to some states and ways our thinkings and politics to be implemented. However unfortunately did these. It did not only happen on the Europe alone, it does happened today in many parts off the world. But however ear in Europea we applied and we see the right to privacy as a state constitution, right that should be given to any citizen. Now we have the convention off when a way to the Convention for the Protection Off individuals with regards to automatic processing off personal data. It isn't 1981 Council off Europe Trenti that protects the right to privacy off individuals taking account off the increasing flow across frontiers off personal data undergoing automatic processing. Then we have the directive. There's directive and this directive off the European Parliament and off the council off 24 October 1995. On the protection Off individuals week regard the processing off personal data and on the free movement off center stated. And over here we can notice there already some terms that they are specific, like the noticed that the subjects should be given notice when their data is being collected. Also, the purpose. 40 state What's the state they're going to be used? We should give away for our data to be used and also the security so that they must be safeguarded and also that disclosure, access and accountability. As you can see, these are the basis that now formed edgy DPR. So, however, they are still beat role. Later on, we have the legislation there will be in charter off fundamental rights and the charge offs , fundamental rights after repeated union and try and certain political, social and economic rights for the European Union citizens and residency to do yet European law. It was rafted by the European Convention and selling proclaimed on 7 December 2000 by the European Parliament, the Council of Ministers and European Commission. However, the illegal stated was uncertain and did not have full legal effect until the entry into force off the treaty awfully. But on 1 December 2000 nine. So we already at the basis for the law to be applied. However, it took us there sometime in order to for it to take full effect and being applied. However, we are talking about 2000 2009 so some time as going to see in stem and therefore we need to review these where GDP our country, the place that we'll see on the next chapter. So, as you can see, these are just some of the main points off the charter of fundamental rights. I mean, I'm not going to to read them because you can also download these pdf and the goal off these old courses that I just don't read out loud. I mean, so you can don't know this. You can give them a quick check. They are the main points off their charter of fundamental rights, and on the next lesson we are going to talk about the GDP are. 4. 1.4) GDPR: a lot of talk has been going on about GDP are and in fact there are reasons. Toe all these talk, the GDP, arsons for general data protection regulation and it's an European regulation law. It is the most important change that the privates regulation in 20 years, as it is a regulation, that provision are directly applicable without and in transposition being foraged your addiction, thus ensuring truth legislative harmonization at the little off that the protections in our country in the European Union. This means that even if for ends company operates in the European Union, they will have to abide to these low. Okay, it will be a you know, it's already being applied on the 25 25 May 2 dozen hating to our European state members. And if probably you also received a lot of females regarding these new love asking for your consent for companies to safeguard your data. Because with this new law, a company needs to have the direct user approval in order to maintain their personal information than your regulation. Imposes rigorous applications off good data security and privacy and privacy practices, including the informant consent so they user must expressly consent that these are, er data. It's being used. Then we have the absurd organization in fact, distance for data management and the identification procedures by which personally identifiable information fields we dina date record. I replace it by one or more artificial identifiers or, said Donna names. Okay, so the data sets need to be an animal eyes, or at least sailed anonymized the notification off breach of privacy. While this means if a company it's hacked and their data is leaked, they need to inform the users, or at least the ones they have the data that, in fact, these did happen. Okay, so there's no more hiding the hex. Also the appointment responsible for personal data DPL in companies. So companies that have more than a certain number off off data off size, they need to Evan appointed GPO. Also the correction of data. You can always conduct the company and update the data changes the data, the portability off datum, their right to be for granted. And this is a major step because which is low. We can call on any company and we have the right to be forgotten. So we must and we shouldn't. We can require to an entity to delete all the data they have regarding as we also have the introduction off the privacy by design and by the fourth principle in the processing of personal data in problem with the encouragement off Data Student Organization. As you can see, there's a lot off making the point stronger because at the moment, as as we are going the Internet, it's going toe Wild West, where companies do what they like to do and they just contact us and the spammers, and they do as they seem suit. However, with this law, there's going to be a reinforcement off the European units Citizens lost on rights, personal date, the and operation are set off operations carry it out on personal data or in personal data states bite omitted or non automated means. So this is on the actions. The processing or personal data is the final s every action, every vertical actors frustration organization. So on it's seen as an operation on the personal data, however, did are some recitals and, for example, deserved the ones that I picked up. That is to say, the information which does not concern and identified or identifiable natural person nor toe personal data and made so anonymous that is no longer or can no longer be into fight. This is about the recital 26. Okay, so the data protection should not therefore be applied on anonymous information. And when we talk about the anonymous information, it's date them that we seem as that cannot be the anodyne ized. That means that there is no possible way to know who to target to identify the user after the device. OK, so the database must be anonymized. Then we have the recital 28. It's the explicit introduction off certain organization in this regulation is not intended to exclude any for data protection measures. Okay, this means that just pipe sodomizing it does not mean that we need that we can disregard all the other and an immunization techniques. In fact, application off Siddle organization to personal data may reduce the risks to the data subjects concerned and out those responsible for processing. And there's of contractors to comply with their data protection obligations. So the later that we keep from the users must be either said anonymized okay or must be completely anonymous now for the technical compliance. We are just going to make a quick review. We need to ensure the transparency in procedures providing the older, off personal data with all the information during the collection process. Notre Validator consents. Okay, so all the processes was that we saw over here on the back. The user, as the right and missed know what it's going to be with. He's on her data. We also need to implement all the and registration mechanism for our treatment activities. So all these actions must be long, thin and upset. Organization must be applied and scrambling to ensure a level off secret security. Okay, that must be according to the risk. What this means that, for example, a small companies that send some newsletters will not and will not have the same Still, the organization and scrambling techniques like a secret service agency. Most applied to the database. So this is it. It is according to the framework that we are working on also need to implement and prove the process off limitation minimization and privacy by design privacy. Beautiful. These are too strong sentences that are deeply applied to the GDP air. You need to reduce the diet data processing to the strictly necessary as well as conservation Longevity. Do remember that if there's a data leak, if the company must notify the users and reported to the authority also, we need to guarantee the secret e off datum, taking them against notarized release treatments as well as exited the lost direction or damage. Well, we must take the measures to try to guarantee because, as we know, it's not another percent secure to guarantee the debt is security. But we need to to perform the best measures to take these into account. No, they did that explicit directly or in directly information about else clinical records and biometric off an individual that these are special categories off personal data because ah , the list GDP here does not apply 12. The data OK, also the European. The legislation allows the processing off such sensitive that that we teen and undertaken. Okay, you can see there are some exceptions. Also entered the responsibility off a professional subject, professional professional secrecy or confidential under Union Wall. So this does not mean that the law it's ah, secure by default because infect in some cases we have thes special categories off personal date that also, the rules apply not only to the company responsible for the data bust out. So to all the entities that form part of the business group and these can relate to companies that work outside the European Union. In addition, also contracted with access to personal data that they the process er well, in essence, if the same obligations as those responsible for the custody off the data, the data controller, both the that the control and the data process. We left document in detail all the activities related to the processing off personal data. These are the major points that we saw regarding the TTP are the processing of personal that there shall be a permissible where they consider are some points. The data subject has given his consent. So we need to have the constructor explicit consent off the user. And these is not like those newsletters that have the checkbooks enabled by default, that is, are the user must click expressly on the check box, confirmed, confirming that he or she wants to receive the notification from the company. Also, the processing is necessary for the performance off a contract in which the data subject this party or for pregnant contractual arrangements at the request off the data subject and there the data controller in generally, it's obliged to provide the following information to the holders off personal data. So, disease, who controls the personal data, that person or the group of persons that are responsible in the company for controlling the data them the identity and contact details off the controller, including that protection officer and also the purpose off the processing off personal data . There must always be a purpose. We cannot just say we are collecting data because we feel like we must have a purpose and receives received yourself for personal data. And this includes any country outside the European Union and also the period that time the time frame that we are going to keep the data and what obligations to provide the data if they're legal or contractual and possible quince consequence is the data it's not provided . This is an overall view off the DPR and mostly the bottom line. It's that do not trust companies are interpretations. Elon's There are official websites that has all the laws, all the major points and in case of thought. It's always best to check out the rial sources. All the text that we have seen over here on this larger they do come from the European Union website. So I I did not write them. But nevertheless these laws, they do change according to the the company, according to the number off users. So it's always best to check by scenario because there's no silver bullet when it comes to GDP are. 5. 2.1) Anonymization process: we are going to learn work on an immunization said on immunization and identification and some other subjects. And then nick techniques are about now on these lessons. Let's start with day identification. It consists off the removal or obfuscation off whole personal information from a database they descent, and in order to prevent the identification off in the videos. The identification is not necessarily an therapy reversible process, and the mapping table may be expected to reverse the process linking the original records to the DND to fight records. It works. It's a bit similar to cryptography just because it's encrypted. It does not mean that we can go the other way around and find original values. In addition to the suppression off all identifying attributes, the identification usually employs the modification off quantity fires by means off general easiest process, for example, to modify the scale off a natural wood or by introducing uncertainty factors based on the original values. Then we have the enemy ization process. It's considered a strong case off identification by wit. It is intended to make it unfeasible or even impossible, using our reasonable means to read identify, including by the technician who carry out carried out initial operation. The scope off the Pacific definition is adaptable according to the current technological context. All means consider reasonable. There's allowing the necessary resources, coast costs and knowledge to be ready in the fight. The process must be irreversible on similiar to disruption and the proof off impracticality off. Red identification is the truth risk analysis, and we are going to do these on the practical, shocked ER with the Air X software. Also by the light off to DPR anonymized data. It's not considered personal data ceremonies that still don immunization. It's the process that tends to replace our personal identifiers. For example, the name address I D card, etcetera by pseudonyms artificially generated by means off hashing works. Our coats, which my function as a mascot representations off the original data as a rule. So the organization retains are attributes off a relational database, allowing it to safeguard its structure, and that the Syntex, as from so organization, also as a concert to focus on the quasi identifiers attributes, for example, that birthdate and that the assignment off coats is performed in a random manner and in pennant off the original value. Although they may eventually be related to each other in the treatment of personal data in their area Off held, it is quite common to used identification techniques adapted to the specific nature off this type of datum, the hyper safe harbor metrology fighters tendered as tender that removal off 18 sensitive attributes as one off the necessary but not sufficient conditions for database to be considered identified for a simple since individually with it's like the name postal code data, phone numbers, etcetera, then the target date off. The identification process may continue in the light off. The GDP are to be considered personal data practice disease usually impossible to demonstrate with 100% certainty. So in order to be able to give secondary uses to these data without the informant constant off the holders, it isn't always necessary to perform a complete risk analysis off the world process accompanied by the production off pyre. That means privacy him back assessment. Also in the recital 26 only an animus data is a clue excluded from the principal's off the protection. The data are no longer considered personally, actually an animus when the process that led to their identification makes red identification impractical or impossible. That way, when the weapons we can say that the date them I became anonymous. No for the pie. The privacy impact assessment. The privacy impact assessment is a report used to support decisions making, and he's used to identify and mitigate the privacy risk at the beginning and throughout the life cycle offer Given data treatment, for example, the identification by most full fuel tree fundamental objectives. It must ensure the compliance with legal, regulatory and privacy policy requirements that apply to the nature off the data processing in question. It must that remind the risk and their effects and evaluate protections and alternative processes to mitigate potential risks of privacy. Break them then. The purpose off prior is to demonstrate that the data processor and that the controllers that collect and processed data have conceptually and just infallible incorporated privacy protections according to the risks. They're willing to take the quick to support the entire data processing lifecycle that benchmarking the efficiency and safety off the identification process. It's normally there. The effectiveness effectiveness off the identification process can be measured with the reference to the Raider or less or difficulty in carrying out there're identification off individuals, namely the ability to connect are cruel. Eight or more records off the sent me individually. Inference off any information about an individual to deduce the value off a naturally toughening federal with the significant probability off success from other attributes, meaning the quad identified class identifiers the application off a simple mask on the name or i D after individuals or even symmetric. Encryption always allows identity that performed operation to re identify the individuals by creating links between the records within or between the debaters. When we talk about privacy, we've met up must also check on data utility because the process often immunization and identification are usually complex and time consuming, implying different refinements until the desert utility off the final data is updated. As you can tell this graph, the more the privacy on the day descent the last the utility that it will have the ideal situation would mean maximizing both privacy and this user with fullness off the data and practice impossible to achieve. Although an immunization is also intended to maintain data quality by definition, a process inevitably implies loss of information. The best relationship between data utility is to enable users to be able to work. We take them, extracting information and statistics and then by the privacy to ensure that same off the information remains eat. And so disease, um, trade between these two factors and when we anonymized the data, we also must think one was the final go off. The data that we are an animating even is for utility. Or we must give more focus to privacy because if we do, the data must be more anonymized and being less practical to use. 6. 2.2) Techniques to Anonymise Data: on the previous shop that we have seen them. If methodologies and techniques and theory to make the data and animals, now we are going to see in practice how they work out. And after this we will start using some software to an animal eyes data sets. Okay, let's start with random ization. It's a set of techniques that promote the delish in off information very city, eliminating the stronger links between the date that on each individual first we'll start with a nice addition. It consists of applying just like variation to the miracle values and dates. Then we have shuffling. It's about randomly promoting the values often attribute off the send it through a database , and then we have the differential. Privacy allows you to maintain original data records, adding random nice in the result off each search that generated nice takes into account a previous researchers. Then we have key unanimity. It consists of modifying this camp off for off magnitude and can anonymity and insures that there are zero or at least key individuals answered on a stubble us that are covered by the same combinations off positive fires. In this way, the probability off identification. Often individual is equal or less than what one work. A Canon T eat consists off grouping key wreckers into categories or arrange off values given groups. Then we have L diversity anti closeness, and these are revolutions off the key anonymity method in our to ensure that each equivalence class as sufficiently. It's Virginia's attributes in the girls off the elder diversity technique. There must be at least al distinct values for each equivalent group and sensitive attributes in the case off that the closeness technique which rightto approximate the proportion off each density veteran which to the original that cassette dirtying that t that threshold is the maximum distance between that, Distributions said the organization is technically usually used to replace or my personal data. It regards the subsists substitution or coating. It's too succeeded the text, for example, the individual's name for a fix it text for a night, um, updated randomly from a least off values etcetera. Then we have the encryption, usually with symmetric key at one week key and it in Khost, that they using a predator fine it key that the user will set up the user death anonymized the dates the Data said. To left the remember that if you're using a key, you and if in a talker gets access to the key, then your data said information will be compromised. Then we have the hashing. It consists off on a directional encoding. Data it really using a secret salt in Trump T key. And also, if the character mass consists of replacing characters off a text with Nets risk other than prettified incorrect character, we can see it by the list that this just might be the most simple way to go. Then we have the risk off identification and the identification process. Interested Klay as a risk factor for privacy Bridge, which is strongly influenced by the context in which the data is available and by then, anim ization techniques adopted there is cool tiptoe go higher whenever the tech targets a specific target. Example. A single individual. Even the possibility off obtaining all sorts off external information by crossing it with the anonymized take them. However rigorous the identification process may be, the real identification off individuals might in theory, always be possible. It is enough to be used unlimited researchers looking for correlations. We data or in video is in videos previously identified from other database, meaning that no anonymized that this ethical concede as 100% secure unless all the data doesn't have any utility. Okay, so we must always take into consideration that if an attacker also has the background on a specific individual individual, your ship will have higher tax off success to identify that same individual and learn out the enemy ization process worked out now for the risk estimated models. And this is what we're talking about process to really defy than individuals. Again, we have the prosecutor. He tries to re identify a certain register being assumed that already has the confirmation off the presence oft individual in the data set in question. Then we have the journalist that seeks to identify a particular record, although without confirmation, if the individual is president, a subset off the analyzed, then we have the market here that it's when you are interest in red identified large volumes off records, not just individual records. There is scrutiny. To go higher, as we have seen, is a talker as a specific target, and these works out in these kinds off tree attacks and then we have the risk mitigation it results. Pretends in the risk estimation are generally based on the premise that the potential attacker will only have access to the data set available, which often may not be true. In order to guard against a false sense of security, it will be up to the data controller and they the processor to ensure that all risks associated with personal data are after reassess it and periodically updating the pyre off the identification process. Also do take note that sometimes we do anonymized data. But if we don't to an accurate benchmark, it might give us a false sense of security and most of the times a false sense of security . It's better then and no sense off. It's no better than that. The San Softness security and also we must be sure on off the output that we are producing with that anim ization process. Now regarding air GpD, a explicit e forces that need for data controls on data processes to carry out risk assessments associated with the various processing off personal data they are. They are also obliged to report to the DP A off the country situations in which the resulting than Mitic about risk is considered. I also, if doesn't date the bridge that that the controllers and that the process is mess up must also report to the d. P. A. Finally, we have the treatment off risk. And unlike usual organizational risk management processes a sentence off the residual privacy risks will have to be justified and often recessed by the company as it might be violating off citizen right as the conduct off desert it's implies evaluation off impact off the treatment operations. They also have the advantage off implicitly. Promoting compliance is with the god. Of course, stipulated in Article 14 at the GDP are the risk assessments may also be completed by periodic implementation off the privacy impact assessment and finally, auditing the various organs. The organizational process with the objective off evil waiting, the risk off privacy bridge that underlie the company activity as well as who they define possible mitigation actions