What five questions tell you whether a dataset still contains personal data?
If you can directly identify, single out, infer about, or link records to an individual — or reverse the de-identification — it's still personal data.
* The five identifiability tests — fail any one and the data stays personal under GDPR. *
Data is not anonymous (i.e. it remains personal) if any of these hold:
- Direct identification — it contains directly identifying info (name, email, SSN).
- Singling out — you can distinguish one data subject from others in the group.
- Inference — you can deduce something about a person (e.g. infer a disease from a "medication" field).
- Linkability ("mosaic effect") — records can be linked to an individual within your own data or by joining external sources.
- Reversibility — the de-identification can be undone.
Crucially, you assess these both within your own database and against other available data sources. You're also processing personal data whenever you collect directly from people or use data observed/derived from them — even if the end result looks anonymous.
Tip: Pass all five tests and you may have true anonymization; fail any one and you're still bound by the GDPR.
Go deeper:
Data re-identification (Wikipedia) — singling-out / linkability / inference shown in real cases.
GDPR Recital 26 (gdpr-info.eu) — the basis for "still personal unless no longer identifiable".