News top


One of the most interesting terms, that was introduced under the GDPR is the so called “Pseudonymization”.

It is one of the means for securing Personal Data and is defined as “the processing of personal data in such a way that the data can no longer be attributed to a specific Data Subject without the use of additional information”. In other words it means replacing any identifying characteristics of data with pseudonym – a value which does not allow the data subject to be directly identified. For example, replacing people’s names and phone numbers with random numbers.

It is important to distinguish pseudonymization from anonymization. If the data is anonymous, it contains no information that could potentially identify an individual and therefore it is not considered Personal Data by GDPR. Pseudonymized data provides a limited identity protection and in many cases you can still identify the data subject by analyzing the underlying or related data, thus it is considered as Personal Data.

There are numerous available pseudonymization methods. They come in a variety of price ranges and security guarantees and can also slow down company’s processes. Therefore pseudonymization must be considered in terms of the sensitivity of the data being processed and the impact it has on the data subjects during processing. A few examples of pseudonymization methods include:

Data Masking - pseudonymization technique that involves altering or replacing a record or part of a record without changing its format. Example of data masking:

Real dataMasked data
NameSocial Security NumberNameSocial Security Number
John Doe467-897-786Erik Smith879-143-654


Encryption – cryptographic process that converts data into an unreadable format (ciphertext) so that only individuals or systems with access to the appropriate key can decrypt and read it. The GDPR requires for the additional information (such as the decryption key) to be kept separately from the pseudonymized data.

Tokenization - is a non-mathematical approach to protecting data at rest that replaces sensitive data with non-sensitive substitutes, referred to as tokens. The tokens have no extrinsic or exploitable meaning or value. Tokenization does not alter the type or length of data, which means it can be processed by legacy systems such as databases that may be sensitive to data length and type

The pseudonymization is only one of the novels in the GDPR, which you need to take into consideration and to be compliant with. If you feel lost and need help with the rest GDPR regulations – you’ve come to the right place. GDPRQ is an easy-to-understand GAP Analysis tool for your organization. Start your journey today on


Website last updated: 2019.04.05