ICO publishes new guidance on anonymisation and pseudonymisation

The question

What are the ICO's latest key recommendations for effective anonymisation and pseudonymisation of personal data?

The key takeaway

The Information Commissioner's Office (ICO) recommends that businesses adopt a proportionate and risk-based approach to implementing anonymisation and pseudonymisation techniques to reduce their exposure under the GDPR whilst harnessing the potential of their data in a privacy-friendly way.

The background

Where personal data is effectively anonymised (such that it does not relate to an identifiable person), it falls outside the scope of the GDPR. However, this is a high standard which businesses typically find challenging to meet. 'Identifiability' is also a broad concept that exists on a spectrum. Pseudonymisation is, therefore, far more achievable but does not completely reduce the data protection risk. The ICO's guidance is useful to empower businesses to be able to assess identifiability risk, explore new techniques and decide which approach is most suitable for their business.

The development

On 28 March 2025 the ICO published its guidance on anonymisation. The guidance, which is aimed at medium and large businesses and organisations in the public, private and third sectors, covers anonymisation techniques and how anonymisation affects a business' compliance with data protection law.

The guidance explores the standards for effective anonymisation and when an individual can be said to be identifiable. It explains that identifiability is context specific and lies on a spectrum. Businesses must analyse where they lie on this spectrum when assessing identifiability risk. If there are no means that are reasonably likely to be used by the business or a third party to identify an individual, then the data is anonymised. The ICO also explains the two main approaches to anonymisation techniques:

• generalisation which reduces the specificity of the data so that it relates to multiple people, and
• randomisation which can be used to reduce the certainty that a record relates to a specific person.

The guidance distinguishes between anonymisation and pseudonymisation. Pseudonymised personal data is still within scope of the GDPR but can help reduce risk, improve the security of the data processed, and allow businesses to re-use data for new purposes. The ICO provides recommendations on how to approach pseudonymisation as well as several techniques including:

• hashing where cryptographic hash functions transform data into 'hash values'
• encryption where data is encrypted and subject to a key for decryption, and
• tokenisation where identifiers are replaced with randomly generated tokens.

The guidance stresses the importance of implementing appropriate accountability and governance measures when carrying out anonymisation and pseudonymisation. This includes periodically reviewing decisions taken when anonymising personal data and the assessments that underpin them and taking into consideration changes in technology and how that may impact decision making. The timing and frequency of such reviews will depend on the anonymised information and the circumstances of its disclosure and use.

Why is this important?

The ICO’s guidance underscores the importance of anonymisation as a privacy-friendly alternative to processing personal data. This is particularly important for businesses handling large data sets and considering how to derive the most value from such data sets. In addition, for businesses looking to implement AI systems, anonymisation is a particularly useful technique that significantly lowers the risk of processing data to train, or otherwise input in, such AI systems. This ICO guidance should be read alongside guidance previously issued by the European Data Protection Board (EDPB) on the anonymisation of AI models (see our Spring 2025 edition of Snapshots).

Any practical tips?

Businesses looking to adopt anonymisation or pseudonymisation techniques should ensure they have applied the recommendations set out in this guidance. The guidance also contains case studies which provide helpful practical examples. For businesses dealing with large and complex datasets, the ICO suggests that specialist advice is sought.