Hook: The EDPB just clarified that most "anonymization" tools are actually pseudonymization tools. Here's what that means for your GDPR compliance strategy.
The Challenge
The EDPB's January 2025 Guidelines 01/2025 on Pseudonymisation introduced the concept of a "pseudonymisation domain" and clarified that pseudonymisation secrets must be protected by strong technical and organizational measures. Critically, the guidelines clarify that pseudonymized data remains personal data under GDPR — only true anonymization (irreversible by anyone) falls outside GDPR scope. This creates a compliance gap for organizations that believed their "anonymized" data was outside GDPR. Many tools marketed as "anonymization" tools actually produce pseudonymized data (reversible tokenization) — meaning their output is still subject to GDPR. DPOs scrambling to understand the new guidance are asking: "Does our tool produce anonymization or pseudonymization under the new EDPB definition?"
By the Numbers
- GDPR fines reached €1.2B in 2024 — record year (DLA Piper 2025)
- 77% of employees share sensitive work information with AI tools at least weekly (eSecurity Planet/Cyberhaven 2025)
Technical Approach
anonym.legal explicitly offers both modes: irreversible anonymization (Replace/Redact/Mask/Hash — no recovery possible, output is truly anonymous under EDPB guidelines) and pseudonymization (Encrypt — reversible with key, output is pseudonymized personal data under GDPR). This explicit distinction allows DPOs to choose the appropriate method for their use case and document their choice correctly for regulatory purposes.
Comments (0)