Blog
Practical guides on data anonymization and GDPR compliance.
-
How to anonymize data before pasting it into ChatGPT, Claude & Gemini
Learn how to anonymize data for ChatGPT, Claude, and Gemini: redact names, emails, and IDs locally before you paste, then restore the real values in the answer. A practical, GDPR-aware guide.
8 min read
-
Can lawyers use ChatGPT with client data? Confidentiality, privilege & the Heppner ruling
Lawyers using ChatGPT with client data risk breaching confidentiality and waiving privilege. What GDPR, bar-association guidance and US v. Heppner require — and how to redact client identifiers locally before you prompt.
11 min read
-
Data masking vs anonymization vs pseudonymization — what is the difference?
Data masking is a technique; anonymization and pseudonymization are GDPR legal outcomes. Static masking usually anonymizes, dynamic and deterministic masking usually pseudonymize. Compare all three across reversibility, data status, and GDPR — with clear examples.
7 min read
-
How to anonymize a dataset for AI/ML training under GDPR
A practical guide to anonymizing a training dataset before machine learning: which columns are direct vs quasi-identifiers, how to mask them consistently, why k-anonymity matters, and how doing it locally keeps raw data off third-party infrastructure.
4 min read
-
How to properly anonymize a Word, PDF or Excel document (metadata leaks included)
Redacting a document is more than blacking out text. How to anonymize Word, PDF and Excel files correctly: real redaction vs fake black boxes, the metadata and hidden-data leaks people miss (author, track changes, comments, hidden columns), and how to preserve formatting.
4 min read
-
Does GDPR still apply to anonymized data? Erasure, retention & Recital 26
Does the GDPR apply to anonymized data? No — Recital 26 places truly anonymous data outside the regulation. But the bar is high: the data must be irreversibly de-identified. How that affects erasure (Art. 17), retention limits, and the line against pseudonymization.
5 min read
-
DPIA checklist: when a Data Protection Impact Assessment is required (GDPR Art. 35)
A Data Protection Impact Assessment (DPIA) is a documented risk analysis you must run before high-risk processing under GDPR Art. 35. When it is mandatory, the four elements Art. 35(7) requires, a step-by-step checklist, and how anonymization lowers the risk you have to assess.
5 min read
-
Anonymizing PESEL, NIP, REGON & KRS — what they reveal and how to mask them
A PESEL number encodes date of birth and sex, and a sole trader's NIP is personal data — so plain find-and-replace does not anonymize Polish identifiers. See what each ID reveals and how to mask PESEL, NIP, REGON and KRS under the GDPR.
8 min read
-
Data anonymization: the complete guide (GDPR, methods, tools)
Data anonymization explained end to end: what it is, how it differs from pseudonymization and masking, the GDPR basis (Recital 26, Art. 4(5)), the core techniques (masking, k-anonymity, synthetic data), re-identification risk, and how to choose a local vs cloud tool.
10 min read
-
HIPAA Safe Harbor: the 18 identifiers you must remove to de-identify data
The HIPAA Safe Harbor method (45 CFR §164.514(b)(2)) de-identifies protected health information by removing 18 specified identifiers. The full list, how Safe Harbor differs from Expert Determination, and the actual-knowledge caveat — with before/after examples.
4 min read
-
The Polish PII Redaction Checklist (PESEL, NIP, REGON, KRS)
A practical mask-and-verify checklist for redacting Polish personal data. What PESEL, NIP, REGON and KRS each reveal, why find-and-replace misses inflected Polish names, and a step-by-step routine to confirm a document is actually anonymized under the GDPR.
5 min read
-
On-device vs cloud PII redaction: which is safe for GDPR?
On-device PII redaction keeps data on your machine — no new processor, no cross-border transfer, no extra breach surface. Cloud redaction uploads data to a third party. See the GDPR differences, a decision table, and when each is acceptable.
8 min read
-
Microsoft Presidio alternative: no-code, ready-made PII anonymization
Looking for a Presidio alternative? Microsoft Presidio is a powerful open-source PII SDK, but it needs engineering to deploy, tune, and maintain. When a ready-made, no-code app with built-in Polish ID support and local processing is the better fit — and an honest comparison.
4 min read
-
Why removing the name isn't enough: re-identification risk explained
Re-identification risk is the chance that a person can be identified from "anonymized" data. Deleting the name is not enough — quasi-identifiers like ZIP code, birth date, and sex can single someone out. Here is what that means under GDPR.
7 min read
-
Reversible anonymization: masking with a private key (tokenization done right)
What is reversible anonymization? Masking that swaps each identifier for a placeholder while keeping a private key that can restore the original. How it differs from encryption and hashing, why it is legally pseudonymization, and when a two-way workflow beats irreversible masking.
5 min read
-
Synthetic data vs anonymization: which actually protects privacy?
Synthetic data and anonymization both aim to let you use data without exposing people — but they work differently and fail differently. How each protects privacy, why synthetic data can still leak through the model that made it, and when masking real data is the more verifiable choice.
4 min read
-
Anonymization under RODO: UODO requirements and how to do it correctly
Data anonymization under Poland's RODO (GDPR) and UODO guidance: how it differs from pseudonymization, when data leaves scope (Recital 26), how to handle the Polish identifiers PESEL, NIP, REGON and KRS, and a practical checklist for correct, irreversible anonymization.
5 min read
-
Before you paste: the safe-AI redaction workflow
A vendor-neutral three-step workflow for using ChatGPT, Claude or Gemini without leaking personal data: anonymize on your machine, work with the AI on masked text, then restore the originals locally with your private key. What to redact, what stays, and why the order matters.
4 min read
-
How to use AI without leaking client or personal data
Use AI without leaking data: consumer LLMs retain and train on your prompts by default. The fix is to redact PII locally before prompting and restore real values afterwards. A complete GDPR-ready guide for lawyers, healthcare, HR, finance and DPOs.
10 min read
-
What is PII? Types of personal data under GDPR
What is PII? A clear definition of personally identifiable information and how it maps to "personal data" under GDPR Art. 4(1) — direct and indirect identifiers, special category data, and real examples (name, email, PESEL, IP address).
8 min read
-
Anonymization vs pseudonymization — the differences under GDPR
Anonymization irreversibly breaks the link between data and a person, taking the data outside the GDPR. Pseudonymization is reversible and the data remains personal data. See the differences, practical examples, and when each is required.
5 min read