Excel PII: Anonymize Hundreds of Columns

Why Excel Is Your Highest-Risk File Type

Excel files are one of the biggest GDPR risks in most businesses. Medical records may carry more sensitive data per row. But spreadsheets pile up PII fast — and compliance teams often miss them.

Three things make Excel files hard to manage.

Volume: One XLSX file can hold 50,000 rows and 100 columns. That is five million cells. No manual review can check all of them.

Grid layout: Text flows in one direction. Excel spreads data across rows and columns. Personal data can hide anywhere in that grid.

Mixed content: Pay bands, department codes, and job grades sit in the same file as SSNs and email addresses. Erasing everything makes the file useless.

Long retention: Staff lists and customer records stay in Excel for years. GDPR Article 5(1)(e) says data must be kept "no longer than is necessary." Files that "might be useful" often stay far past that point.

Why Standard Text Scans Fail on Spreadsheets

Text analysis tools were built for documents. They break on spreadsheets in a few common ways.

The SSN-as-Number Problem

Excel saves Social Security Numbers without dashes (123456789) as plain numbers — not text. A scanner built to find ###-##-#### will miss them. A good tool must know that a 9-digit number in a column called "SSN" is a Social Security Number.

The Date-as-Number Problem

Excel stores dates as serial numbers. February 6, 2024 is stored as 45329. A CSV export will show "45329" in a "Date of Birth" column. A scanner must convert that number to a real date before it can flag the value.

The Partial SSN Problem

Some systems show only the last four digits of an SSN (*--1234). The full number sits in a locked column. The partial value must still be anonymized — even if it does not look like a full SSN.

The Formula PII Problem

Some cells build PII from other cells. A cell with =CONCATENATE(B2," ",C2) shows a full name. If you clear columns B and C, that full name is still visible in the formula cell. A tool that reads only stored values — not formula links — will leave PII in place.

The Multi-Sheet Problem

A large workbook may have five sheets: Customer List, Orders, Support Tickets, Billing, and Analytics. Customer names appear in all five. "John Smith" in one sheet must become the same token — "PERSON_0047" — in every other sheet. Two different tokens break record links.

Column Headers as a Signal

The best improvement in spreadsheet PII detection is column header analysis.

A column called "SSN" tells the tool that all values in that column are Social Security Numbers. This works even if values are partial, oddly formatted, or stored as numbers.

Column context does not replace content scanning. It adds to it. A column called "SSN" with 100 values: content scanning catches 99 well-formatted ones. Column context catches the one that looks odd.

Keep the Structure, Remove the Names

The goal in most Excel GDPR cases is not to destroy the file. It is to strip out personal data while keeping the parts that make the file useful.

For a 15,000-row staff records file, a compliance officer needs:

Remove:

• Employee names → PERSON_XXXX tokens
• SSNs → REDACTED
• Email addresses → REDACTED
• Phone numbers → REDACTED
• Home addresses → REDACTED

Keep:

• Department codes
• Job titles (general roles only)
• Pay bands (broad categories)
• Performance scores (group data)
• Start dates (for tenure stats)
• Manager codes (if pseudonymized)

A tool that knows the difference between "data that names people" and "data that describes jobs" gives you a file that still works for HR analysis — and meets GDPR data minimization rules.

Real Case: M&A HR Data Transfer

An acquiring company gets staff records from the target firm: a 15,000-row XLSX with 40 columns. The file must go to an outside HR firm for benefits planning. GDPR says only the data needed for that task can be shared.

Before processing: 40 columns with full names, SSNs, emails, home addresses, emergency contacts, and bank details.

After column-context processing:

• 12 columns directly identify people (names, SSNs, emails, phone, addresses, bank data): replaced with consistent tokens
• 3 columns indirectly identify people (staff ID, manager code, job code): replaced with pseudonymous tokens that match within the file
• 25 columns are aggregate data (pay band, department, tenure, grade): left unchanged

Time: 8 minutes for 600,000 cells

Output: Same XLSX layout, 40 columns, 15 anonymized, 25 unchanged

Audit log: Cell-level record of every action with entity type, confidence score, and column signal used

The HR firm gets a full dataset for its work — with no names or IDs. The compliance record gets proof that only the right data was shared.

This challenge is not unique to Excel. Every file format fails in its own way. See how format fragmentation affects PII detection for a look across file types.

Three GDPR Article 5 Rules, One Process

Structured spreadsheet anonymization meets three rules at once.

Data minimization (Art. 5(1)(c)): Only the columns needed for the task go to the recipient. Identifying columns are wiped.

Storage limitation (Art. 5(1)(e)): The original file stays for legal retention. A clean copy is made for sharing — with a shorter or no retention need.

Integrity and confidentiality (Art. 5(1)(f)): No identifying data leaves the control zone. Only clean copies are shared.

The audit log from the process is also your Article 5(2) proof. It shows how each rule was met for each file.

If your team handles DSARs or large data exports, the same logic applies at the API level. See how GDPR data minimization works in real-time APIs.

For teams dealing with high volumes under tight deadlines, see GDPR DSAR batch processing at scale for workflow patterns that apply here too.

Sources

• GDPR Article 5: Principles Relating to Processing of Personal Data
• ICO: Anonymisation Code of Practice
• EDPB: Guidelines on Pseudonymisation