← Glossary·Privacy

Anonymisation vs Pseudonymisation

GDPR

Anonymisation: irreversibly de-identified, out of GDPR scope. Pseudonymisation: reversible, still personal data.

Anonymisation irreversibly removes the link between data and an identifiable individual; truly anonymised data falls outside GDPR scope. Pseudonymisation (GDPR Art. 4(5)) replaces identifying fields with pseudonyms but the link can be restored with separately held information — pseudonymised data remains personal data.

Why it matters
Calling data ‘anonymised’ when it is in fact pseudonymised is a frequent mischaracterisation in privacy notices, exposing controllers to enforcement.

Related terms

Personal Data (GDPR)
Any information relating to an identified or identifiable natural person (data subject) — Art. 4(1).
Data Minimisation
GDPR Art. 5(1)(c) principle: personal data must be adequate, relevant, and limited to what is necessary.

Does your program actually cover Anonymisation vs Pseudonymisation?

Run a free ComplianceIQ audit against GDPR and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free GDPR auditBack to glossary