What is Re-identification Attack Testing?

Testing designed to determine whether anonymized, pseudonymized, or otherwise de-identified data can be linked back to an individual. It is important because failed de-identification can expose organizations to privacy, security, and regulatory non-compliance risks.

In Depth

In practice, this involves simulating realistic attacks that combine released data with auxiliary datasets, model outputs, or external information to see whether an individual can be singled out or inferred. Compliance teams use these tests to assess whether anonymization claims are credible, whether controls such as aggregation, suppression, noise, or access restrictions are effective, and whether residual risks remain acceptable.

This testing is especially relevant when organizations publish datasets, use synthetic data, share model outputs, or rely on de-identification to reduce privacy obligations. The concept is closely tied to the GDPR, EU AI Act data governance expectations, ISO 27001 security controls, ISO/IEC 42001 management controls, and privacy risk management approaches reflected in NIST AI RMF; it is also relevant to sectors with heightened confidentiality and operational risk requirements.

Related Frameworks

EU AI ActISO 27001ISO/IEC 42001NIST AI RMF

Related Topics

Data GovernanceCybersecurityLiabilityAlgorithmic Discrimination

Related Terms

Ai Model Training On Personal DataAi Model MemorizationSynthetic Data GenerationEvaluation Ready Documentation

Weekly digest — coming soon

Leave your email to get the first issue when it ships. Free, no account required.

We use your email only for the digest. Privacy policy