On January 16, 2025, the European Data Protection Board (EDPB) published new guidelines on pseudonymisation, a key concept in data protection under the General Data Protection Regulation (GDPR). If your business collects or processes personal data—whether from customers, employees, or partners—these guidelines could impact how you handle and protect that information.
So, what exactly is pseudonymisation, and how can it help your business stay compliant and reduce risks? Let’s break it down in simple terms.
1. What is pseudonymisation?
Pseudonymisation is a privacy-enhancing technique that helps protect personal data by replacing identifiable information (such as names, email addresses, or ID numbers) with random or coded values. This means that even if someone gains access to the data, they won’t be able to link it directly to an individual without additional information.
However, it’s important to note that pseudonymised data is still considered personal data under the GDPR because, with the right key, it can be re-identified.
Example: Imagine you run an online store and collect customer data for marketing. Instead of storing customer emails directly in your database, you replace them with unique codes. This way, if your data is ever leaked, no one can immediately connect the codes to real people without the separate key that links them back.
2. Why should you care about pseudonymisation?
Pseudonymisation isn’t just a legal requirement—it can help protect your business from data breaches, reduce compliance risks, and even improve customer trust.
If your company processes personal data, GDPR requires you to implement security measures to protect that data. Pseudonymisation is one of the recommended techniques under Article 32 of the GDPR for reducing risks.
If your business suffers a cyberattack and the stolen data is pseudonymised, the risk of exposure is significantly lower. Hackers won’t be able to immediately identify individuals, which could reduce legal and financial liabilities for your company.
Example: If a hacker steals your customer database, but the names and contact details are pseudonymised, the data is far less useful to them, making your business a less attractive target for cybercrime.
If your business faces a data protection investigation, demonstrating that you use pseudonymisation can work in your favour by showing regulators that you take data security seriously. Companies that fail to protect personal data properly risk fines of up to 4% of global turnover under the GDPR.
If your business collects customer data for analysis (e.g., tracking purchasing behaviour), pseudonymisation allows you to use this data without exposing customer identities, making it easier to stay compliant with privacy laws.
3. How can SMEs implement pseudonymisation?
The EDPB’s new guidelines recommend technical and organizational steps to ensure pseudonymisation is effective. Here’s what you can do:
- Separate identifiers from data
Keep the identifiable information (like names and contact details) in a different database from the pseudonymised data. Only authorized personnel should have access to both.Example: Store customer names in one system and their purchase history in another, linking them with a unique code.
- Use secure encryption and access controls
Ensure that only authorized employees can access the “key” that links pseudonymised data to real identities.
Example: Use password-protected databases and encrypt sensitive data to prevent unauthorized access.
- Regularly review security measures
Pseudonymisation techniques should be updated regularly to stay effective against evolving cyber threats.
Example: Periodically change encryption keys and review who has access to sensitive information.
4. Final thoughts:
The new EDPB guidelines reinforce that pseudonymisation is a powerful tool for GDPR compliance and data security. As data protection regulations tighten, SMEs that implement these measures will reduce risks, build customer trust, and avoid costly penalties.
Laura Van Gompel
Lawyer – Managing Partner
Corporate law - Privacy & Technology - International Contracts
