Security Measures › Technical Measures

Anonymisation

Anonymisation is the process of treating personal data so that it becomes permanently impossible to identify the data subject. Correctly anonymised data falls entirely outside the scope of GDPR.

Back to Dictionary

What is anonymisation?

Anonymisation is a process that makes personal data permanently unrecognisable. When data is correctly anonymised, nobody (including the organisation that carried out the anonymisation) can identify the individuals the data relates to.

This is a crucial distinction in the GDPR, because the regulation only applies to personal data. If you can demonstrate that your data is genuinely anonymised, the GDPR does not apply to it. This gives your organisation the freedom to use the data for statistics, research and analysis without the usual requirements for a legal basis and data subject rights.

However, the bar is high. According to Recital 26 of the GDPR, anonymisation must be irreversible. You must take into account all reasonable means that could be used to re-identify individuals, including combination with other data sets.

Anonymisation vs. pseudonymisation

The two concepts are frequently confused, but the legal difference is fundamental:

Anonymisation is irreversible. The link between data and person is permanently broken. The result is not personal data.
Pseudonymisation replaces direct identifiers with codes or tokens. A separate key can restore the data to the original person. The result is still personal data.

Pseudonymisation is a technical and organisational measure that reduces the risk in the event of a data breach, but it does not remove your obligations under the GDPR. Only genuine anonymisation does.

In practice, many organisations use pseudonymisation as an intermediate step, because full anonymisation can destroy the analytical value of the data. Consider carefully what you need the data for before choosing an approach.

Techniques for anonymisation

There are several recognised methods for anonymisation. They can be used individually or combined for stronger protection:

Generalisation: You remove detail, for example by replacing a date of birth with an age range or a precise address with a postcode area.
Noise addition: You add random variations to data so that individual values cannot be recognised, whilst the overall pattern is preserved.
k-anonymity: Each record in the data set is identical to at least k-1 other records for the quasi-identifying attributes.
l-diversity: An extension of k-anonymity that ensures variation in the sensitive attributes within each group.
Differential privacy: A mathematical framework that adds controlled noise to queries against a data set, so that no individual's data can be inferred.

The Danish Data Protection Agency and the European Data Protection Board (EDPB) recommend that you document your chosen technique and carry out regular re-identification risk assessments.

Significance for GDPR compliance

Anonymisation plays a central role in data minimisation. If you can fulfil your purpose with anonymised data, you have a duty to choose that solution. This follows from the GDPR principle that you must not process more personal data than necessary.

Anonymisation is also relevant for retention. When the original purpose limitation expires, anonymisation can be an alternative to deletion. You preserve the analytical value of the data without retaining personal data beyond the lawful period.

Bear in mind that the anonymisation process itself is processing of personal data. You must have a valid legal basis for carrying out the anonymisation, and the process must appear in your record of processing activities.

A data protection impact assessment (DPIA) may be necessary if the anonymisation involves processing sensitive personal data on a large scale. Your DPO should be involved early in the process.

Frequently Asked Questions about Anonymisation

What is the difference between anonymisation and pseudonymisation?

Anonymisation is irreversible and permanently removes the ability to identify a person. Pseudonymisation replaces identifying information with codes, but can be reversed with a key. Pseudonymised data is still personal data under the GDPR, whereas anonymised data is not.

Is anonymised data subject to the GDPR?

No. When data is correctly anonymised, it falls outside the scope of the GDPR. However, this requires that the anonymisation is genuine and irreversible, and that no supplementary information exists that could be used to re-identify individuals.

What techniques are used for anonymisation?

The most widely used techniques are generalisation (removing detail), noise addition (adding random data), k-anonymity, l-diversity and differential privacy. The choice of technique depends on the data type and the purpose of the analysis.

When should you anonymise personal data?

You should anonymise data when you want to use it for statistics, research or analysis but do not need to identify individuals. It is also relevant when you wish to retain data beyond the original retention period.