The Quasi-PII Problem
GDPR Article 4 defines personal data as "any information relating to an identified or identifiable natural person." The key word is "identifiable" — not just currently identified, but capable of identification through additional processing. A value that is not directly identifying but can be linked to a real person through internal systems is personal data under GDPR.
Internal langilea IDS are the most common example. "EMP-EU-123456" does not directly identify anyone. But the HR datuen basea holds a table: EMP-EU-123456 → Maria Schmidt, Senior injenitero, Munich. Any dokumentua containing EMP-EU-123456 can be linked to Maria Schmidt by anyone with sarbidea to the HR datuen basea. Under GDPR, EMP-EU-123456 is personal data — IT is information relating to an identifiable natural person.
The same analisia applies to bezeroa account numbers (linking to CRM erregistroak), project codes (linking to kliente identitatea in contract databases), internal reference numbers for legala matters (linking to case participants in the DMS), and medical erregistroa numbers in external systems (linking to patient erregistroak in the hospital's EHR).
Organizations that anonymize the obvious PII (names, email addresses, national IDS) but leave internal identifiers untouched have not achieved GDPR-compliant anonimizazioa. They have achieved de-anonimizazioa in two steps rather than one — requiring an erasoa egilea (or an overly curious langilea) to consult the HR datuen basea rather than reading the dokumentua directly.
The Coverage Gap in Practice
DLA Piper's 2025 GDPR Annual Report found that 34% of all GDPR fines involve inadequate technical measures under Article 32 — the requirement to implement appropriate technical safeguards. Inadequate anonimizazioa, including the failure to detect and remove quasi-identifying internal identifiers, is a documented category of Article 32 violations.
The EDPB processed 900+ koherentzia mechanism cases in 2024, reflecting the increasing bolumena of enforcement coordination across EU member states. Cross-border enforcement (where the lead supervisory authority in one country coordinates with others) means that an Article 32 violation in a data set shared across EU borders can trigger coordinated enforcement.
The No-Code Pattern Solution
For a global logistics company's betegarritasun team anonymizing langilea erregistroak for an external HR auditoria:
langilea IDS follow the format EMP-[REGION]-[0-9]{6} — EMP-EU-123456, EMP-APAC-789012, EMP-AMER-345678. The betegarritasun team provides 3 examples to the AI pattern helper. The AI returns: detected pattern EMP-[A-Z]{2,4}-d{6}; matches all provided examples; suggested entity name: langilea-ID; test against edge cases including different region codes.
The team tests against 10 additional samples, including EMP-DACH-000001 and EMP-APAC-999999. The pattern validates correctly. The custom entity is saved to the GDPR betegarritasun preset shared with all team members. All 47 dokumentuak in the HR auditoria package are processed in one batch. All langilea IDS are replaced with rola-based pseudonyms. The auditoria firm receives dokumentuak that cannot be linked to individual employees through any internal datuen basea.
Sources: