Anonymised data

“There can be confusion between pseudonymisation and anonymisation. For example, it is common to refer to datasets as “anonymised” when in fact they still contain personal data, just in pseudonymised form.

This poses a clear risk. For example, a mistaken belief that the processing does not involve personal data could mean that the requirements of UK data protection law are not met. This could result in potential adverse outcomes for individuals.”

“Anonymous data” is not a concept defined under GDPR (it is more or less describes whatever does not fall inside it) but is information that does not relate to an identified or identifiable individual. It is not in scope for GDPR.

Data that was personal but that has been anonymised — that is, permanently stripped of its identifying characteristics so that it is not possible to reverse-engineer it back into the same personal data, is no longer personal data, and is not subject to GDPR. If it has been temporarily masked but can be reconstituted by anyone (whether or not you) with a code of some kind it is “pseudonymised data” and remains personal data.