The Information Commissioner’s Office (ICO) has finally issued long-anticipated guidance on anonymisation and pseudonymisation practices, consolidating and streamlining a series of drafts that it had previously consulted on. Authorities appear keen to focus on these matters in 2025: as we discussed earlier this year (see our blog here), the European Data Protection Board (EDPB) has also recently issued guidance on pseudonymisation.
In this blog we will outline the main takeaways that you need to know about this new ICO guidance.
A practical piece of advice
Various audiences may be interested in this guidance for different reasons. For example, an in-house lawyer or a DPO will most likely want to understand the legal and governance implications of anonymisation and pseudonymisation, while a member of an IT department may use the guidance to determine if the measures implemented by the company are sufficient from a technical standpoint.
The ICO recognises this diversity and has provided a helpful guide at the beginning to indicate which sections are relevant to different readers. Specifically, the ICO suggests that a technical expert should focus on the sections on identifiability and useful technologies, while a decision-maker should read the sections explaining the concepts and the one on accountability and governance. Therefore, if someone is short on time, they can focus only on the sections that will actually be useful to them. That said, the sections clearly interrelate, so from a legal perspective it is necessary to consider relevant parts of each when assessing a particular approach to anonymisation.
Transfer of data
Anonymisation and pseudonymisation are closely related concepts, but they differ significantly. When information is anonymised, it can no longer be linked to an individual, meaning that the UK GDPR does not apply. Conversely, pseudonymised information can still be linked to an individual using additional data that is kept separately and is, therefore, subject to the GDPR.
Despite this, these concepts can sometimes be difficult to differentiate. For example, if a controller receives pseudonymised data but does not have the additional information to identify the individual, should this be considered personal data or anonymised data? The answer to this question has historically divided the EU and the UK: while the ICO has concluded that information can be personal data in one person’s hands but anonymous in another’s, the EDPB has clearly rejected this possibility.
In its new guidance, the ICO has maintained the same approach as before, but it has not been as clear as we had hoped. In fact, the guidance includes some contradictory statements which contribute to uncertainty. Additionally, the ICO seems to have taken a more restrictive approach, excluding the applicability of the so-called 'whose-hands' test when pseudonymised information is shared with a joint controller or a processor so that it wouldn’t be treated, in the ICO’s view, as anonymous data in the hands of the processor.
Hypothetical vs real risks
Companies face countless security and data protection risks daily, making it challenging to determine what is the true risk of the individual being identifiable. The ICO guidance offers helpful advice in this regard: when assessing whether information has been properly anonymised, data controllers should disregard any purely hypothetical or theoretical chances of identifiability and focus on what is reasonably likely given the circumstances.
To assist with this analysis, the ICO has set out more details of the 'motivated intruder' test that companies should follow, including a non-exhaustive list of the types of information that one has to assume they would access. As we know, given the amount of information that is publicly available, this means that true anonymisation to a GDPR standard is hard to achieve without using methods such as generalisation.
Data governance
Implementing adequate anonymisation or pseudonymisation techniques alone is not sufficient – data controllers must also demonstrate compliance with their legal obligations. To achieve this, data controllers should document their decision-making processes. Additionally, it is good practice to appoint someone of sufficient seniority to oversee the anonymisation process and decision-making. The ICO suggests that this person should be different from the DPO, such as a Senior Information Risk Owner.
As this is not a statutory code, it’s not mandatory. However, the ICO will of course consider this guidance when assessing an organisation's compliance. As ever, it will therefore be important for an organisation to document its approach to meeting its obligations, whether it follows the guidance or not.
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-04-16-10-18-08-213-67ff83e0b34a593b4ea48aee.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-04-16-08-46-37-205-67ff6e6d3048bb4711b336b6.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-04-15-14-27-14-994-67fe6cc23048bb4711b15443.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-04-08-11-04-14-779-67f502ae4b2c2478d5c9ed69.jpg)