Enforcement Rules of the Personal Information Protection Act Article 17 states that ＂the Act shall mean the personal information processed by ways of code, anonymity, hiding parts of information or other manners so as to fail to identify such a specific person.＂, so as call the ＂De-identification＂ issue. Since 2014, Nov 17th the Ministry of Justice has explained that ＂De-identified personal information cannot identify directly or in-directly a specified individual.＂ certification has become our standardization primary issue. Thus, we discuss EU’s ＂General Data Protection Regulation＂ including ＂De-identification＂ mention before in ＂Personal information management system＂ certification, whose implementation follows International Organization for Standardization (ISO) standardization. The article is going to conclude with observation and suggestion to the status quo of protecting personal data in Taiwan subject to learning experience from the ISO standardization in striving for protecting personal data.