Skip to content

How Your Business Should Handle Pseudonymised Data in England

Table of Contents

Your business will create and store various forms of data, including pseudonymised data. Some businesses confuse this with anonymised data, but the Information Commissioner’s Office (ICO) treats the two types of information differently. It is essential your business handles this information according to the General Data Protection Regulation (GDPR) guidelines. The ICO investigates alleged breaches and can fine non-compliant businesses. This article will explain pseudonymised information, how it differs from anonymised data and how your company must handle it under the GDPR.

What is Pseudonymisation?

This is information that has had all identifying information removed or replaced. This makes the remaining data clean as to the original person’s identity. For example, a straightforward method is to delete an individual’s address or email address and replace the data subject’s name with ‘Person 5’  or ‘#005’ (or similar).

Pseudonymised data is not truly anonymous. This is because your company will still possess the original data, so they can determine who ‘Person 5’ really is. Because of this, the GDPR defines pseudonymised information as personal data and places specific requirements on your company when processing it.

An Example

Suppose your company has decided to carry out an optional equality survey in the workplace. The purpose is to learn about the workforce’s diversity and set a marker to improve in the future. The questions within the survey include ones relating to each person’s age, ethnicity, religion and opinion on whether they feel your business encourages diversity and equality or not.

If you have a relatively small workforce, it may be possible to identify individuals from their age and the data given, even if the survey does not record names. However, this would constitute pseudonymised data because, if you were motivated to do so, you could reverse engineer the identity of the majority of staff.

A proper pseudonymisation process will involve an individual at your organisation obtaining and presenting the information in a less identifiable manner.

For example, they could do so by:

  • giving individuals randomly assigned identities (such as ‘Member 11’);
  • presenting the feedback within one document highlighting comments without reference to age, ethnicity, etc.; 
  • grouping staff members into age categories (such as ‘21-30’, ‘31-40’) rather than attaching exact ages to comments; and
  • carrying out a final check to ensure identity privacy.

Why is Pseudonymised Data Useful?

Pseudonymised data allows your company to obtain more answers from any survey or study, as you can study and identify trends. For example, common trends may be that staff of a particular age group are happier or newer employees are less happy. Whichever way, it gives your organisation the chance to figure out why and seek to incorporate any necessary changes. In comparison, truly anonymised data would simply show a percentage of satisfied versus unsatisfied employees without explaining why. 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Pseudonymised Information is ‘Personal Data’

The ICO monitors data protection issues and can launch investigations into the misuse of personal data. Since ICO fines can range up to £17.5m, you must correctly handle, store, and process personal data. In reality, pseudonymous data is usually relatively safe to handle if your business does not combine it with identifying information. So, for example, if someone were sent an email with a copy of the pseudonymous report and a spreadsheet listing each name against each identification number (e.g. Joe Bloggs = Employee 3), this would be a likely data breach.

Key Takeaways

Under the GDPR, your company should always take special care of any information that could potentially identify an individual. Pseudonymising data is a good way to collect and store information. In most situations, recording pseudonymised information is safe because the act of producing it removes personal information. Furthermore, it enables your business to collect more useful data to make strategic decisions. Generally, the less personal information a document contains, the lower the risk of a personal data breach.

If you need help with data protection requirements and the safe collection and handling of pseudonymised data, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

Why is anonymous data not treated as ‘personal data’?

Your organisation cannot trace properly anonymised data back to the original person. The purpose of the GDPR is to protect an individual (known as a ‘specific data subject’) by preventing the distribution of personal information. So if it is impossible to know who they are, there is little risk of breaching their data protection rights.

Is there a single approved pseudonymisation technique?

No. Your company must tailor the process of removing identifying information on each occasion. The starting point is usually to replace each name with an identification number.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards