Pseudonymization is defined in the GDPR to mean “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”
This is normally achieved by removing direct identifiers, such as a name or email address, and replacing them with a pseudonym. This process is also known as data masking or tokenization.
Unlike anonymization, pseudonymization can be set up to be reversible. While pseudonymized data remains personal data under the GDPR, the law encourages organizations to pseudonymize data whenever possible.