Re-identification is the process of linking pseudonymised or supposedly anonymised data back to specific individuals. It often succeeds by combining multiple datasets: age, postal code, and gender alone are frequently sufficient. For data protection this is a critical risk because it undermines the effectiveness of anonymisation measures. When anonymising data, you should verify that the result can withstand known re-identification attacks such as linkage attacks. In an ISMS and in a DPIA, re-identification must be explicitly assessed as a threat.