Description:
Anonymization is viewed as a solution to over-exposure of personal information in a data-driven society. Yet how organizations apply anonymization techniques to data for regulatory, ethical or commercial reasons remains underexplored. We investigate how such measures are applied in organizations, asking whether anonymization practices are used, what approaches are considered practical and adequate, and how decisions are made to protect the privacy of data subjects while preserving analytical value. Our findings demonstrate that anonymization is applied to data far less pervasively than expected. Organizations that do employ anonymization often view their practices as sensitive and resort to anonymity by obscurity alongside technical means. Rather than being a purely technical question of applying the right algorithms, anonymization in practice is a complex socio-technical process that relies on multi-stakeholder collaborations. Organizational decision-making about appropriate approaches and the management of responsibility can result in workarounds necessary to negotiate the technical complexity.