What is the difference between pseudonymization and anonymization, and why does it matter under GDPR?
Pseudonymization is reversible (identities can be recovered with a key); anonymization is irreversible. Under GDPR, pseudonymized data is still personal data, while properly anonymized data falls outside the regulation.
| Pseudonymization | Anonymization | |
|---|---|---|
| Reversible? | Yes, with the secure key/mapping | No — irreversible by design |
| Re-identification | Possible for authorized parties | Impossible even with extra info/compute |
| Data linkage | Maintained | Lost |
| Privacy level | Lower | Higher |
| Utility | Higher | May be reduced |
The legal punchline: because pseudonymized data can be linked back to a person, GDPR still treats it as personal data — all the obligations (consent, rights, breach rules) apply. Truly anonymized data is no longer "personal data," so it falls outside GDPR's scope.
Tip: Tokenization, encryption with retained keys, and reversible hashing are pseudonymization — not anonymization. Don't claim GDPR exemption for data you can still re-link.
Go deeper:
Pseudonymization (Wikipedia) — GDPR treatment and the reversibility distinction that keeps data "personal".