• GL
Choose your location?
  • Global Global
  • Australia
  • France
  • Germany
  • Ireland
  • Italy
  • Poland
  • Qatar
  • Spain
  • UAE
  • UK

To Pseudonymise or Anonymise?

18 September 2019
Digital electronic components
Many organisations that process personal data struggle with the concepts of pseudonymisation and anonymisation. In this article we will explain what the differences between the two concepts are and why it is important to make this distinction. 

In order to understand both concepts, we need to go back to basics and understand what personal data is. The General Data Protection Regulation (GDPR) sets out that personal data means "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person". The UK Information Commissioner's Office (ICO) has summarised this definition by stating that personal data has to be information that relates to an individual. That individual must be identified or identifiable either directly or indirectly from one or more identifiers or from factors specific to the individual. Please note that even if the individual can be identified by combining one information set with another information set, both information sets would still be considered to be personal data.

The GDPR describes pseudonymisation as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” Essentially, pseudonymisation is about coming up with a 'key' for personal data that would render that data incapable of identifying a data subject. That key should furthermore be kept separate from whoever is holding the personal data. Please see the example below:

 

Name

Pseudonymised (key held separately)

Anonymised

Jamie

qOerd

xxxxx

Ita

Loqfh

xxxxx

Nicole

Mcvg

xxxxx

Nicole

Mcvg

xxxxx

Stuart

BhQj

xxxxx

Sam

gyxaH

xxxxx

Jamie

qOerd

xxxxx

 

The above example demonstrates that personal data needs to be stripped of any element that would identify an individual in order for that data to be truly anonymised. If at any point any reasonable means could be used to re-identify the individuals to which the data refers, the data has not been effectively anonymised. It would considered to be pseudonymised data.

Pseudonymised data is still considered to be personal data, which means that the requirements of the GDPR continue to apply to such data. Anonymised data cannot be linked to an individual any more. For that reason it is not personal data and the GDPR does not apply.

It is important to be aware of this distinction. Organisations might think that they are processing anonymised data, when in fact they are actually processing (pseudonymised) personal data. Alternatively, it is important to note that up until the point of (correctly) anonymising data, personal data is still being processed (and GDPR requirements would apply).

To summarise, pseudonymised data can be traced back to a data subject by using some form of 'key', whereas anonymised data cannot. Pseudonymised data is still classed as personal data and is subject to the GDPR, whereas, anonymised data is not. Is your organisation pseudonymising or anonymising data? Are they or are they not caught by the scope of the GDPR?  Please contact the Data Protection Team if you have any questions or require assistance in this area.

Further Reading

We use cookies to give you the best user experience on our website. Please let us know if you accept our use of cookies.

Manage cookies

Your Privacy

When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. We mainly use this information to ensure the site works as you expect it to, and to learn how we can improve the experience in the future. The information does not usually directly identify you, but it can give you a more personalised web experience.
Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change permissions. However, blocking some types of cookies may prevent certain site functionality from working as expected

Functional cookies

(Required)

These cookies let you use the website and are required for the website to function as expected.

These cookies are required

Tracking cookies

Anonymous cookies that help us understand the performance of our website and how we can improve the website experience for our users. Some of these may be set by third parties we trust, such as Google Analytics.

They may also be used to personalise your experience on our website by remembering your preferences and settings.

Marketing cookies

These cookies are used to improve and personalise your experience with our brands. We may use these cookies to show adverts for our products, or measure the performance of our adverts.