What is the Difference Between Anonymised and Pseudonymised Data in England?

Your organisation will process many different types of information during its day-to-day running. Most data will contain identifiers to an individual, such as an order record containing a customer’s name and home address. However, you may also hold information that does not identify the relevant person. This information may have been ‘anonymised’ or ‘pseudonymised’. As a business owner, it is vital to understand the difference between each type of data and treat each differently under the General Data Protection Regulation (GDPR). This article will explain the differences between anonymised and pseudonymised information and your obligations under the GDPR. 

What is the GDPR?

The GDPR (or ‘UK GDPR’) is shorthand for General Data Protection Regulation. This law obligates your business to handle, store and move information in specific ways.  

The Information Commissioner’s Office (ICO) enforces data protection rules in England. If your company breaches the GDPR, you could face a heavy fine from the ICO.  

What is Anonymised Data?

Anonymised data is another way of describing anonymous information. It can result from carrying out an anonymisation system to ensure information does not identify the relevant person.

Since anonymous data cannot identify any particular individual, it is not ‘personal data’ in terms of the GDPR. This means that the ICO is unlikely to investigate anonymous data because it only protects the identification and harm of data relating to individuals.

What is Pseudonymised Data?

Pseudonymous data is information that, at an early stage, contains data that identifies individuals but is then run through pseudonymisation techniques. These techniques replace or remove all identifying information so that the remaining data is clean and anonymised.

Pseudonymised data is slightly different to truly anonymised data because it is possible to reverse engineer the identity of each individual with the original data. In contrast, this is not possible with truly anonymised data.

Why Use Pseudonymised Data?

Your business may use pseudonymisation data as you can draw vital information from it. For example, you may notice trends such as staff above 40 years old being less happy or staff with more than 10 years’ service being happier than newer employees. In comparison, truly anonymised data would show a percentage of happy versus unhappy staff, with no further information.

It is becoming more common for HR personnel to replace the names of job candidates with a number (e.g. ‘Candidate 4’). Many organisations do so to try and ensure equality and safeguard themselves against future accusations of discrimination from unsuccessful job candidates.

The advantage of using pseudonymised data usually outweighs the obligations placed on your company by the GDPR when handling that data.

Startup Manual

LegalVision’s Startup Manual is essential reading material for any startup founder looking to launch and grow a successful startup.

Download Now

Collecting Pseudonymised and Anonymised Data

If you collect anonymised data, your company will collect the information confidentially. In contrast, if you collect pseudonymised data, your company will appoint someone to obtain the information and then replace or remove identifying information.

Collecting Using anonymised Data Process

Anonymisation Process

If you collect anonymised data, you will likely: 

• invite all staff to use the same web link to provide their feedback;
• ensure the questions within the survey do not help identify them, so for example, do not ask for their specific start date or their age;
• avoid asking for contact details or names at the end; and
• send all the data as one to the company.

When collecting anonymised data, your company will receive pure feedback without mentioning the age, name, start date etc.

Pseudonymisation Process

If you wish to differentiate the feedback of newer staff members from employees with more extended service, you could run a pseudonymisation process as follows:

• invite staff to use a specific web link each to provide their feedback;
• ask them for vague but personal details, so for example, asking them to tick a box to describe their age range, such as between 31-40, 41-50, etc. and select a box to insert their starting year;
• have each set of results sent to the company one by one and recorded in a spreadsheet; and
• when all information is received, remove identifying information.

The usual method of removing identifying information is to provide each staff member with an identification number. For example, you may designate an employee ‘Employee Two’ and, instead of recording ‘seven years’ service’, it could be recorded being ‘between 6-10 years’ service’.

Key Takeaways

As a business owner, you may decide there are instances when you wish to use anonymised data and other times when pseudonymised data is more suitable. For example, pseudonymised data may give you more detailed information. However, it is essential that you know the difference between anonymised data and pseudonymised data because only the latter counts as ‘personal data’. Failure to treat personal information safely and securely can lead to an ICO investigation and a potentially heavy fine against your company.

If you need help with data protection requirements and the safe handling of anonymised and pseudonymised data, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions