Explore how the ICO’s March 2025 guidance helps organisations use anonymisation to unlock data value while meeting UK GDPR compliance and strengthening accountability.
As the prevalence of data-driven innovation increases, organisations must ensure that this data is being handled with the necessary level of responsibility, which for some data means that anonymisation is necessary. On 28 March 2025, the UK’s Information Commissioner’s Office (ICO) published updated anonymisation guidance aimed at helping organisations transform personal data into anonymous information—allowing for innovation, research, and transparency without compromising individuals’ privacy.
This comprehensive guide sits alongside the ICO’s data sharing code of practice and applies across general processing (UK GDPR), law enforcement, and intelligence services regimes. It is particularly relevant for organisations using large data sets for AI training, service development, research, or when handling freedom of information requests.
What Is Anonymisation and Why Does It Matter?
Anonymisation is the process of turning personal data into anonymous information—data that no longer relates to an identified or identifiable individual. Data can be effectively anonymised, allowing it to be reused or shared with fewer legal constraints.
To understand anonymisation, it’s essential to grasp the definition of personal data under the UK GDPR and DPA 2018. Personal data relates to data of any individual who can be identified—directly or indirectly—by identifiers such as a name, ID number, location data, or one or more unique traits.
Anonymisation vs. Pseudonymisation: Key Differences
The guidance also differentiates between:
– Anonymisation: Fully removes identifiability. The individual cannot be re-identified by any reasonable means.
– Pseudonymisation: Separates identifiers from the data but keeps a way to re-link them—typically through a key that must be securely stored. This is still classed as personal data under data protection law.
Practical Highlights from the ICO Guidance
Your organisation can benefit from these key takeaways in the new guidance:
The ICO guidance clarifies that anonymisation must be effective for all parties involved.
A notable clarification from the ICO is that data is only truly anonymised if it is anonymised in the hands of the controller. For example:
“A processor only processes personal data on your behalf. This means the status of the data in your hands is what matters.”
This has long been a point of discussion with clients, and the ICO’s confirmation reinforces existing best practices.
The ICO guidance recommends using the ‘Motivated Intruder Test’ to assess risk.
An interesting addition under “How do we ensure anonymisation is effective?” is the motivated intruder test. This test involves evaluating whether someone—reasonably motivated and resourced—could identify individuals IN YOUR DATASET using publicly available tools and data.
This is not always a step organisations take when advising on anonymisation, but the ICO suggests it as a practical risk assessment approach. It’s an area where expert support could help clients improve data governance.
The guidance recommends following a tailored process for each context under the section “How should we approach pseudonymisation?”.
The guidance recommends following a tailored process for each context under the section “How should we approach pseudonymisation?”. This includes assessing identifiability risk, implementing adequate security, and separating identifiers from data sets. This can be especially useful in helping organisations demonstrate accountability and compliance.
The guidance recommends Data Protection Impact Assessments (DPIAs) for anonymisation activities.
This guidance emphasizes the importance of a Data Protection Impact Assessment (DPIA) as a necessary accountability and governance measure. It highlights the role of a DPIA in structuring decision-making around anonymisation, identifying risks to individual rights and freedoms, and documenting mitigation strategies. This reinforces the concept that anonymisation should be approached as a strategic, governance-level decision, rather than solely a technical exercise.
Data anonymisation benefits organisations by enabling data sharing, reuse, innovation, and transparency, while reducing legal and compliance burdens.
By effectively anonymising data, organisations can share or reuse data with fewer legal constraints. They can also innovate responsibly with reduced risk, and meet transparency obligations. Additionally, anonymisation can enable societal benefits through open data initiatives and reduce compliance burdens under the UK GDPR.
The ICO’s anonymisation guidance offers practical steps for organisations to reassess and improve their data strategy to ensure compliance and privacy.
The ICO’s March 2025 anonymisation guidance offers practical steps for ensuring that data processing remains privacy-friendly, compliant, and risk-aware. With clearer definitions, updated risk assessments like the motivated intruder test, and stronger recommendations on pseudonymisation and DPIAs, this guidance positions anonymisation not just as a technical tool—but as a cornerstone of responsible data strategy. For organisations and their advisors, this is a valuable opportunity to reassess existing practices, reinforce compliance, and develop new accountability frameworks that respond to regulatory expectations.
