If it is presumed that there has been a breach of privacy, the commissioner consults technology experts to ensure that good practices have been used.
Until the bill comes into force, there are industry standards, and perhaps also sector- or context-dependent guidelines.
Internationally, there are also rules that govern data protection. For example, while the GDPR does not set out generally acceptable best practices, it does indicate that it is essential to use or consider available technology for anonymization. It's the same concept.