The GDPR does not apply to anonymous information. At face value, anonymizing data to take it out of the scope of GDPR seems attractive for organizations. Digging deeper reveals significant challenges. In practice, anonymization is complex and not always appropriate.

This joint paper is a comprehensive introduction to anonymization policy in the UK, it:

  • Explains how anonymization works in practice, current and emerging technical issues, and the legal test for whether data is anonymous with reference to the legislation, ICO guidance and UK case law.
  • Analyses the UK’s legal and regulatory approach to anonymization, setting out the key technical and business issues that organizations seeking to anonymize data should consider.
  • Compares the UK and European approaches – drawing on jurisprudence from the European Court of Justice and guidance from the European Data Protection Board.
  • Recommends a course of action for organizations attempting to navigate these issues.