EU and UK: Guidance on Pseudonymisation and Anonymisation

On 14 March 2025, the European Data Protection Board (EDPB) closed the consultation on its draft Guidelines on Pseudonymisation - we await the final version. There are similar themes and practical guidance in both but also key differences about when pseudonymised data may become anonymous and which raise important issues for practical implementation.

Organisations using pseudonymisation techniques and sharing or receiving data with a footprint across both the UK and EU should be aware of the differences in approach from these regulators.

Both sets of guidance dive into the detail on techniques and technologies available for anonymisation and/or pseudonymisation. It’s a long way from the high level themes and principles of the underlying GDPR documentation. Those responsible for data protection compliance should be aware of the key terms involved – including whether you are salting your hashing, using K-anonymity or deploying generalisation. 

What does the guidance cover and how do they differ?

Pseudonymisation and anonymisation are critical techniques for safeguarding personal data and complying with the wider requirements of the GDPR and UK GDPR but also for practical risk management and mitigating potential liability.

The EDPB’s draft guidelines, expected to be finalised soon, emphasise pseudonymisation as a key safeguard under the GDPR. The EDPB view is that Pseudonymised data remains personal data but is less identifiable, reducing risks and aiding compliance with GDPR principles such as data protection by design and default and data security. It outlines technical measures to ensure confidentiality and prevent unauthorized identification.

The ICO's guidance provides detailed advice on both pseudonymisation and anonymisation. Pseudonymisation is similarly described by the ICO as a technique to reduce risks by making data less identifiable. The ICO also offers comprehensive guidance on anonymisation, detailing effective methods and considerations to ensure data is sufficiently anonymised. The guidance includes practical advice on technical and organisational measures to mitigate risks.

Key Differences

• The ICO guidance addresses how pseudonymised information can, once a certain threshold is met, be considered anonymised (and no longer subject to the UK GDPR) – for example when the user of the pseudonymised data does not have access to the pseudonymisation key and is unable to identify individuals despite available information.  
• Unlike the EDPB position, the ICO has set out that the possibility of identifying or re-identifying an individual does not need to be impossible for the data to be considered anonymised, data can be considered “effectively anonymised” if the possibility of identification is “sufficiently remote”. Freedom of Information law practitioners will recognise the “motivated intruder” test that is mentioned.
• Both guidance documents discuss technical measures and provide illustrative examples but given the accountability onus the ICO places on controllers to be able to demonstrate that the data is effectively anonymised, the ICO provides slightly more advice on practical implementation. For example, their guidance links to academic tools for testing anonymisation methodologies and carefully describes masking, hashing and tokenisation, as well as encryption.

The consultation on the EDPB draft guidelines and, in particular, the interesting contrast between the EDPB’s position and developing European case law on these issues, are discussed in more detail in our earlier briefing. We await the ruling of the European Court of Justice in EDPS v Single Resolution Board, to see whether the case law will continue to diverge from the EDPB’s proposed position. Advocate-General Spielmann’s view already appears to align more closely with previous CJEU case law, suggesting that pseudonymisation, when robustly implemented, may lead to an effectively anonymised dataset for the recipient in certain cases. In the UK, the case law on the scope of personal data is also evolving and the outcome in the Court of Appeal of the ICO’s appeal of the 2024 Upper Tribunal decision in favour of DSG Retail Limited will be an important development.

What should I do?

If your organisation considers that it is processing anonymised data, we’d suggest testing this against the ICO’s guidance and EDPB’s draft guidelines.

As the ICO expects a data protection impact assessment (DPIA) to be in place for both pseudonymised and anonymised data processing, now is a good time to refresh your DPIAs  to check that the processing remains appropriate in light of the updated guidance.

We recommend ensuring that the tools you are using for anonymisation or pseudonymisation are state of the art and comply with the updated requirements that these regulators now consider to evidence good practice. For example – are you using the appropriate hashing techniques or are your algorithms outdated? Can your data be reversed or accessed by motivated intruders?

If you have a UK and European footprint, do your approaches meet the requirements across all relevant jurisdictions?

If you outsource anonymisation or pseudonymisation to processors, we also recommend that you review how that is being managed. The responsible controller  remains liable for all data processing and data security on its behalf by any processors. Your approach to due diligence on these issues should be updated to ensure ongoing compliance with regulatory expectations.

Further reading on Anonymisation and Pseudonymisation

See our briefing on the EDPB’s draft guidelines here: New EDPB guidelines on pseudonymization