What Is Quasi-PII?
GDPR Article 4 covers any data that can identify a person. The data does not need to name someone directly. It only needs to make identification possible through extra steps.
Internal employee IDs are a clear example. Take the value "EMP-EU-123456." That string does not name anyone. But the HR system holds a simple lookup table. EMP-EU-123456 maps to Maria Schmidt, Senior Engineer, Munich. Anyone with access to that table can find her. Under GDPR, the ID is personal data.
The same rule applies to other internal codes:
- Customer account numbers that link to CRM records
- Project codes that link to client names in contract systems
- Case reference numbers in legal files
- Medical record numbers that link to patient records
Removing names and emails is not enough. If internal IDs remain in a file, re-identification is only two steps away.
Why This Gap Leads to Fines
34% of all GDPR fines involve inadequate technical measures under Article 32. That figure comes from the DLA Piper 2025 GDPR Annual Report. Failure to detect quasi-identifying internal identifiers falls into this category.
The EDPB handled over 900 consistency mechanism cases in 2024. Cross-border enforcement means one gap in a shared dataset can lead to coordinated action across several EU member states.
Standard PII tools find universal patterns: names, emails, phone numbers, national IDs. They do not know your internal ID format. No tool does until you tell it. That is the gap.
How the No-Code Pattern Builder Works
A global logistics company needs to anonymize employee records for an external audit. Their employee IDs use this format: EMP-[REGION]-[6 digits]. Three examples: EMP-EU-123456, EMP-APAC-789012, EMP-AMER-345678.
The compliance team enters three examples into the AI pattern helper. The AI returns:
- Pattern:
EMP-[A-Z]{2,4}-\d{6} - Matches all three examples
- Suggested entity name: EMPLOYEE-ID
- Recommended next step: test with more region codes
The team tests ten more samples. The pattern works on all of them.
They save the custom entity to the team's shared GDPR preset. All 47 documents in the audit package are processed in one batch. Every employee ID is replaced with a role-based label. The audit firm gets files that no longer link to any individual.
No engineering help is needed. The whole setup takes under an hour.
What Happens Next
Once the custom entity is saved to a shared preset, all team members use the same setup. New staff get it on day one. Batch jobs, API calls, and manual uploads all apply the same pattern.
The audit trail shows which preset was used for each file. If a DPA asks for evidence of your anonymization process, you can show it.
For the full custom entity setup workflow, see custom PII identifiers for organizational anonymization. For keeping this setup consistent across teams, see anonymization consistency presets for GDPR audit.