acquiring an original table including records in which original data indicating personal information is recorded from a database;

classifying respective records included in the original table based on attributes of the respective records, wherein the respective records are classified as one of classes of identifier (ID), quasi-identifier (QI), sensitive attribute (SA), and insensitive attribute (IA);

generalizing the original data recorded in the respective records included in the original table based on generalization levels;

setting up a generalization hierarchy model composed of the original data and the generalized data;

generating an original lattice including a plurality of candidate nodes indicating tables, which indicate generalization levels for types of personal information, based on a hierarchical structure indicated by the generalization hierarchy model; and

setting up a final lattice including one or more candidate nodes which satisfy a preset requirement among the plurality of candidate nodes included in the original lattice,

wherein a de-identified table generated in the generalizing of the original data is generated based on K-anonymity, generated based on K-anonymity and L-diversity, or generated based on K-anonymity and T-closeness, and

wherein the preset requirement includes a preset suppression requirement, which indicates a ratio of equivalence classes which do not satisfy a preset K-anonymity to equivalence classes constituting the de-identified table.