Pseudonymisation & Anonymisation

BY Matthew Brown

It’s Friday afternoon, a colleague from your London office (albeit working from home) is about to ping you over a list of sales leads generated in the last quarter. It contains a significant amount of personal identifiable information (PII) for each of the contacts referenced. The email never arrives; it was accidentally sent to a different email address, someone’s personal email address. Under normal circumstances you would be concerned, but your organisation has in place both policies and practices whereby they pseudonymise any data but what exactly does this mean?

 In simple terms you replace PII with an individual specific code which could be a simple alpha-numeric label pertaining to a name. Your colleague has the code-key enabling him to ‘decipher’ the PII provided – think the enigma code breaker of WWII. Without the code breaker none of the information can be identified as individual or specific and is therefore safe to transit. According to the ICO therefore, ‘pseudonymisation’ is a technique that replaces or removes information in a data set that identifies an individual. Pseudonymisation may involve replacing names or other identifiers which are easily attributed to individuals with, for example, a reference number.

Anonymisation, on the other hand, is the process of protecting private or sensitive information by erasing or encrypting identifiers that connect an individual to stored data. Anonymisation renders any personal data attributes unidentifiable, and the process is irreversible.

“It is best practice when dealing with sensitive personal data, particularly in any transportation of that data, to ensure that it is either anonymised or pseudonymised.“

It is unlikely that you would ever need to fully anonymise data in your organisation unless it was for a study or research. Your data is your most valuable business asset. Rather as an extra level of data security, best practice is to identify and classify your sensitive data sets and embed pseudonymisation when transferring data internally or externally.


Relevant updates

Dive into some further information


Why data breaches pose a threat to your business


Why collecting less data is good for business


GDPR belts and braces guide