The Redaction Decision
When protecting sensitive data, you face a fundamental choice:
Permanent redaction: Data is irreversibly removed. No recovery possible.
Reversible encryption: Data is encrypted. Can be decrypted with proper authorization.
This choice has implications for compliance, legal discovery, research, and audits. Choose wrong, and you may find yourself unable to comply with court orders or regulatory requests.
GDPR: Anonymization vs. Pseudonymization
GDPR explicitly distinguishes between two approaches:
Anonymization (Article 26)
Data that can no longer be attributed to a specific individual is not personal data. GDPR doesn't apply.
Requirements:
- Irreversible (no re-identification possible)
- No additional information can enable re-identification
- Truly anonymous data is outside GDPR scope
Pseudonymization (Article 4(5))
Data where identifiers are replaced with tokens that can be reversed with additional information.
Key points:
- Still considered personal data under GDPR
- Counts as a security measure (Article 32)
- Reduces risk in case of breach
- Allows data processing for research (Article 89)
| Approach | GDPR Status | Reversible | Use Case |
|---|---|---|---|
| Anonymization | Not personal data | No | Public datasets |
| Pseudonymization | Personal data (protected) | Yes | Internal processing |
Why Permanent Redaction Can Be Problematic
1. Legal Discovery
Courts can order production of un-redacted documents:
- Privilege claims may be challenged
- Judges may conduct in-camera review
- Opposing counsel may dispute redactions
- Appeals may require original evidence
If you've permanently deleted information, you cannot comply.
Real case: A law firm permanently redacted client names from documents. When the court questioned a privilege claim, they couldn't produce originals. Sanctions followed.
2. Regulatory Audits
Auditors may request complete records:
- Financial audits require transaction details
- Healthcare audits need patient records
- GDPR audits may examine processing activities
"We permanently deleted that information" is rarely an acceptable answer.
3. Research Re-identification
Longitudinal studies require linking data over time:
- Medical research tracking patient outcomes
- Academic studies with follow-up phases
- Quality improvement requiring trend analysis
Permanent anonymization prevents legitimate research.
4. Business Needs
Organizations often need to reverse redactions:
- Clients request their original documents
- Internal reviews need complete information
- Business decisions require full context
When to Use Each Approach
Use Permanent Redaction When:
| Scenario | Example |
|---|---|
| Public release | Open data initiatives |
| No re-identification need | Published statistics |
| Required by regulation | Certain breach notifications |
| Storage minimization | Data you shouldn't keep |
Use Reversible Encryption When:
| Scenario | Example |
|---|---|
| Legal discovery | E-discovery productions |
| Internal processing | Analytics, reporting |
| Research | Longitudinal studies |
| Client services | Document management |
| Audit preparation | Compliance evidence |
How Reversible Encryption Works
anonym.legal uses AES-256-GCM encryption for reversible redaction:
Encryption Process
Original: "John Smith, SSN 123-45-6789"
↓
[Detect PII]
↓
Entities: PERSON("John Smith"), SSN("123-45-6789")
↓
[Generate encryption key]
↓
[Encrypt each entity]
↓
Output: "[PERSON_abc123], SSN [SSN_def456]"
Decryption Process
Input: "[PERSON_abc123], SSN [SSN_def456]"
↓
[Load encryption key]
↓
[Decrypt tokens]
↓
Output: "John Smith, SSN 123-45-6789"
Key Security
The encryption key is:
- Generated client-side using CSPRNG
- Never transmitted to anonym.legal servers
- Stored in your encrypted key vault
- Protected by your authentication
Without the key, decryption is mathematically impossible.
Competitor Comparison
| Tool | Reversible | Key Management | Audit Trail |
|---|---|---|---|
| Amazon Comprehend | No | N/A | Limited |
| Microsoft Presidio | No | N/A | No |
| Private AI | No | N/A | Limited |
| Google DLP | No | N/A | Yes |
| anonym.legal | Yes | Client-side | Yes |
Most tools only offer permanent redaction. This limits their utility for legal, research, and compliance use cases.
Implementation Guide
Step 1: Classify Your Use Case
Ask yourself:
- Will I ever need the original data back?
- Could a court order production of originals?
- Does research require re-identification?
- Do auditors need complete records?
If any answer is "yes" → use reversible encryption.
Step 2: Configure Operators
In anonym.legal, choose your approach per entity type:
| Entity Type | Operator | Result |
|---|---|---|
| PERSON | encrypt | [PERSON_abc123] |
| SSN | mask | *--6789 |
| replace | [EMAIL_1] | |
| CREDIT_CARD | redact | [REDACTED] |
Mix approaches based on your needs.
Step 3: Manage Keys
For reversible encryption:
- Generate key during first encryption
- Store key securely (anonym.legal vault or export)
- Document which key protects which documents
- Control key access (who can decrypt?)
Step 4: Maintain Audit Trail
anonym.legal logs:
- What was encrypted/redacted
- When processing occurred
- Which entities were detected
- Configuration used
This supports compliance evidence requirements.
Example: Legal Discovery Workflow
A law firm producing documents in litigation:
Without Reversible Encryption
- Permanently redact privileged information
- Produce documents to opposing counsel
- Court challenges privilege claim
- Cannot produce originals
- Possible sanctions
With anonym.legal
- Encrypt privileged information (reversible)
- Produce encrypted version
- Court challenges privilege claim
- Decrypt and submit for in-camera review
- Court rules on privilege
- Produce appropriate version
The key difference: you maintain control and can comply with any court order.
Pricing for Enterprise Needs
Reversible encryption is included in all plans:
| Plan | Tokens/month | Key Vaults | Price |
|---|---|---|---|
| Free | 200 | 1 | €0 |
| Basic | 2,000 | 1 | €3/month |
| Pro | 10,000 | 3 | €15/month |
| Business | 50,000 | 10 | €29/month |
| Enterprise | Custom | Unlimited | Contact |
Conclusion
The choice between permanent and reversible redaction isn't just technical—it has real implications for:
- Court compliance
- Regulatory audits
- Research capabilities
- Business flexibility
Most tools only offer permanent redaction, limiting your options when circumstances change.
anonym.legal provides both:
- Reversible encryption for most use cases
- Permanent redaction when required
Choose the right approach for each situation:
Sources: