Defining personal, anonymous, and pseudonymous data is a vital issue for data protection law. Current approaches adopted by legal regimes are either too absolute to be practical or too vague to be manageable. Differential privacy (DP), as a newly emergent technical tool, can help define the different categories of data by quantifiably measuring identification risks of databases. Through the selection of privacy budget in advance, data controllers can delineate the boundaries among personal, anonymous, and pseudonymous data in an auditable and reviewable way, as well as incorporate the definition into the broader practice of data risk management. This article offers concrete steps of applying this approach in practice, and argues that such an approach not only enhances certainty, consistency, and transparency, but also inspires a new model of interaction between law and technology. Recognizing that this approach is not perfect, the article then discusses some difficulties and directions for future research.