1. Quick prep and legal commonsense (10–20 minutes)
Decide the narrow purpose for the AI task (what question you need to answer) and keep only the fields needed for that purpose. Fewer fields = lower re‑identification risk and faster checks.
Check consent and provenance: do you have a lawful basis to use these records for testing or model training? Note any customers who’ve opted out, and flag records from purchased lists or third parties separately.
2. Which fields to remove or pseudonymise, and simple techniques (30–90 minutes)
- Remove entirely: full name, email address, telephone, full street address, full postcode (replace with outcode or region), bank account / sort code, NHS/NI numbers, government IDs, and any clear unique customer reference you don’t need.
- Pseudonymise (keep linkage possible inside your project): replace email/phone with a salted hash or a random token (store the mapping securely and separately). Use the same token consistently if you need to join records, but keep the key offline.
- Aggregate or coarsen: convert date of birth to age band or year, full postcode to outcode (e.g. SW1), transaction values to bins (0–50, 50–200, etc.). For free text (notes), remove or redact names and obvious identifiers, or omit notes entirely.
- Simple techniques explained: hashing with a secret salt gives consistent pseudonyms; tokenisation maps IDs to random keys kept in a secure file; aggregation reduces uniqueness by grouping values.
Build a small labelled test sample (50–200 rows) containing only variables you need plus the anonymised target label. Keep the original mapping and full records offline and accessible to a named data owner only.
3. Quick re‑identification checks and safe sharing (10–30 minutes)
Run a few simple checks on your anonymised sample: count unique combinations of fields (e.g. age‑band + outcode + purchase tier). If many rows are unique, coarsen further. Spot‑check a handful of rows against source data to confirm identifiers are removed.
When sharing: send the minimal subset, avoid full exports, and separate identifiers from attributes (share tokens + attributes, keep mapping offline). Use secure transfer (company file share or encrypted archive) and a short written agreement or NDA for vendors; prefer vendors that will run tests in an isolated environment rather than taking raw files.
If you need a quick walk‑through or a hands‑on run of this checklist on an export from HubSpot or a spreadsheet, Optira can help set it up and do the safety checks with you.