Skip to content

My Business in England Uses Pseudonymised Data. What Legal Mistakes Should I Avoid?

Table of Contents

As a business owner handling personal data, you must avoid these errors when using pseudonymised data. Some data relate to individuals, customers and clients, while others are confidential and commercial. While most information exists to provide maximum detail, some forms of data aim for the opposite. This article will explore why some companies in England utilise pseudonymised information and the potential legal implications that come with its use. This should enable your business to weigh up the usefulness of pseudonymised data.

What is Pseudonymised Information?

Pseudonymised data is a form of amended information. The main aim of pseudonymisation is to protect the identities of individuals. So, for example, you could amend a list of daily customers to read ‘purchaser 1’ rather than naming the identifiable natural person. This would mask their identity and make the information more anonymous.

This sounds relatively straightforward as, in reality, it is a process within which you substitute identifiable personal information of any data subject for neutral terms. Let us explore a couple of the most significant errors businesses in England make.

1. Equating Pseudonymised Data and Anonymous Data

As you are likely aware, the General Data Protection Regulation (UK GDPR) sets data protection rules for businesses in England.

There are two main types of data under the GDPR, which are:

  • personal data – this covers information that can help identify an individual (for example, their name, address, telephone number or date of birth); and
  • anonymised data – this is anonymised information that contains no data that can be traced back to any individual.

At first glance, many businesses in England believe pseudonymised data constitutes anonymous data. This is because the identifiable information is removed and replaced with a more neutral label.

However, the Information Commissioner’s Office (ICO) advises that pseudonymised data is information that has had data removed but is not truly anonymous. In essence, it is akin to semi-anonymous information.

Let us consider how pseudonymised information is semi-anonymous. We will consider an example below.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Example

Let us pick up the above example of your business substituting customer names for ‘purchaser 1’ and ‘purchaser 2’. At the end of a business day, you have four orders by individuals for power tools. Your pseudonymised data spreadsheet records them as follows:

  1. Purchaser 1
  2. Purchaser 2
  3. Purchaser 3; and
  4. Purchaser 4.

But in a different tab of the same spreadsheet, you have a list of delivery addresses for those individuals. Because you have listed the individuals in chronological order throughout the day, your business has possession of the time entries for their home addresses and card data within the same spreadsheet. So, if needed, you could reverse engineer their personal identifiers from additional data in your possession.  

Any information your organisation can reverse-engineer is not truly anonymous and will, instead, be called pseudonymised data.

What would be truly anonymous? One step would be to assign random titles for the purchasers which are not in chronological order, such as ‘t829’, ‘g232’, y652’ and ‘u892’.  Another step would be to ensure the spreadsheet only contains an anonymous data tab and no further information.

2. Underestimating ICO Regarding Pseudonymised Information

Some business owners make the mistake mentioned above of labelling pseudonymised information as ‘anonymous data’. In this way, they believe that the GDPR rules on processing personal data do not apply to that information because they mistakenly believe that pseudonymised data does not constitute personal data.

Unfortunately, because you can reverse-engineer it, it does constitute personal data. Thus, handling information outside the principles of the GDPR could lead to fines of up to £17.5 million.

Many businesses learn this the hard way by believing the information to be truly anonymous and then suffering a formal investigation by the ICO. Where the ICO believes a company has breached data protection law, it is likely to strongly consider a hefty financial penalty.

Key Takeaways

The easiest way to ensure information is pseudonymised is to keep it away from data that could reverse engineer the relevant people’s identities. Overall, using pseudonymised information is a good idea in some situations (such as employee surveys), as removing personal information from documents is welcomed by the ICO. However, the primary way businesses in England get into hot water is when they mistakenly label the data as ‘anonymous’ for the purposes of the GDPR when it is not.

Because of this, many business owners consult expert lawyers when they need clarification as to whether information constitutes pseudonymised data or truly anonymous information.

If you need help handling pseudonymised data correctly, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions

Why does the GDPR not apply to ‘truly anonymous’ data?

Because the GDPR and ICO believe that a business cannot breach the data protection rights of an individual it cannot identify. So, for example, if a cyber attack resulted in hackers obtaining a document solely listing random identifiers for individuals with no personal data, it could not cause serious harm.

Why do businesses use pseudonymised data? 

Some common examples of pseudonymised information include job recruitment exercises and customer purchase data. For example, your business may wish to examine trends in the purchase of certain items in specific months of the year and, to do so, needs purchase numbers rather than personal identities.

Register for our free webinars

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards