It is not enough to rely on a data provider’s blanket assertion that data is de-identified. Big datasets that reflect large numbers of individuals across multiple jurisdictions are often pseudonymized (using tokens or persistent identifiers, for example) rather than truly “anonymized” and privacy and security obligations and risks remain. Furthermore, the determination that a dataset is de-identified or anonymized is in large part a technical matter that buyers are not necessarily equipped to assess themselves. To stay ahead of these risks, a buyer might instead “act as if” certain data will be re-identified and limit processing accordingly.