Direct comparison
Anonymisation vs pseudonymisation — what is the difference under UK GDPR?
Anonymisation makes data no longer personal data, taking it outside the UK GDPR; pseudonymisation only replaces identifiers with a key, so the data remains personal data and a security measure, not an exemption.
Side-by-side comparison
| Dimension | Anonymisation | Pseudonymisation |
|---|---|---|
| Definition | Altering data so individuals can no longer be identified | Replacing identifiers with a key so data cannot be attributed without separate information (Art 4(5)) |
| Reversibility | Intended to be irreversible | Reversible using the separately held key or additional information |
| GDPR status | No longer personal data — outside the UK GDPR (Recital 26) | Still personal data — remains within the UK GDPR |
| Re-identification risk | Should be negligible if done effectively, but context-dependent | Present by design — the key enables re-identification |
| The key / additional information | No key retained that could re-identify individuals | Key kept separately under security and access controls |
| Typical techniques | Aggregation, generalisation, suppression, k-anonymity, l-diversity | Tokenisation, key-coding, replacing identifiers with pseudonyms |
| Primary purpose | Take data outside data-protection law for open release or reuse | Reduce risk and improve security while retaining ability to link data |
| When appropriate | Sharing or publishing data where individuals need not be re-identified | Research and processing where data may need to be re-linked, with safeguards |
| Guidance | ICO anonymisation guidance (UK); EDPB (EU equivalent) | ICO and EDPB guidance; treated as a recognised security measure |
Common questions
FAQ
Is pseudonymised data still personal data?+
Yes. Under the UK GDPR (Article 4(5)), pseudonymisation only means the data cannot be attributed to a person without additional information held separately. Because that information exists, the data can still be linked back to individuals and therefore remains personal data, fully within the scope of the law.
Is anonymised data covered by the UK GDPR?+
No — if data is genuinely anonymised so that individuals can no longer be identified, it is no longer personal data and the UK GDPR does not apply (a position reflected in Recital 26). The difficulty is achieving and demonstrating that identification is no longer reasonably possible.
Does pseudonymisation exempt me from data-protection rules?+
No. Pseudonymisation is a recognised security and risk-reduction measure, but it does not take data outside the law because the data remains personal. It is encouraged as a safeguard, not treated as an exemption.
Why is genuine anonymisation difficult?+
Because removing direct identifiers is rarely enough: indirect identifiers such as combinations of postcode, date of birth, and occupation, together with external datasets, can allow re-identification. Anonymisation must be assessed as a contextual judgement about realistic re-identification risk.
Going deeper
