Anonymisation vs Pseudonymisation: Is It Still Your Data?

The line that decides whether the rules apply

Under the UK GDPR, almost everything about you that an organisation holds is personal data, and that triggers a long list of protections: the right to ask what they hold, to correct it, to object, and in some cases to have it erased. But there is one important exception. If data has been changed so that you genuinely cannot be identified from it by anyone, by any reasonably likely means, then it stops being personal data and the rules no longer apply to it.

That single test, can you still be singled out, is what separates anonymisation from pseudonymisation. The two words are often used loosely, and that looseness matters, because it changes whether you keep your rights over the information.

This is general information and not legal advice. The boundary can be genuinely hard to draw in practice, and the UK regulator, the Information Commissioner's Office (ICO), has published detailed guidance on exactly how high the bar for true anonymisation sits.

• Personal data: anything that identifies you, directly or indirectly, your full rights apply
• Pseudonymised data: identifiers replaced with a code, but re-linking is still possible, still personal data
• Anonymised data: identifiability removed for good, falls outside data protection law

Pseudonymisation: a lock, not a disappearance

Pseudonymisation means replacing the obvious identifiers, your name, your email, your account number, with a stand-in value such as a reference code or a token. A hospital research file might list you as Subject 4471 instead of by name. A company might hash your email so it reads as a string of characters rather than the address itself.

The key point is that the link back to you still exists somewhere. There is a lookup table, a key, or a method that can reverse the swap and reconnect Subject 4471 to a real person. Because that re-identification remains reasonably possible, the law treats pseudonymised data as still being your personal data. Your rights travel with it.

Pseudonymisation is genuinely useful, and the UK GDPR actively encourages it as a security and data-minimisation measure. It reduces the damage if a file leaks and limits who inside an organisation can see who is who. But it is a safeguard layered on top of personal data, not an exit from the rules.

Anonymisation and what it means for your rights

True anonymisation is a higher bar than many people assume. It is not enough to delete the name column. Data is only anonymous if no one, including the organisation that holds it and anyone who might combine it with other available information, can realistically pick you back out. Stripped-down records can sometimes still single a person out through a rare combination of details such as postcode, age and occupation, which is why the ICO stresses testing against realistic re-identification, not just removing the obvious labels.

When data is properly anonymised, it is no longer about an identifiable person, so it is no longer yours to control in the legal sense. You cannot make a data subject access request for it, because as far as the law is concerned it is no longer connected to you. That is the trade-off: strong protection of identity in exchange for the end of your individual rights over that specific dataset.

For your own footprint, the practical takeaway is to read carefully when an organisation says it has anonymised your data. If they can still reverse it, contact you from it, or tie it back to your account, it is most likely pseudonymised, and your access, objection and erasure rights still apply. OSINTA is a self-only tool: it can help you see your own footprint and understand which of your rights are in play, then you decide what to do, but it does not make these legal determinations for you or act on your behalf.

Frequently asked questions

Related terms

• Personal data
• GDPR (General Data Protection Regulation)
• Online identifier
• Data protection regulator