Data anonymisation: The ICO's latest compliance guidance

On 28th March 2025, the Information Commissioner’s Office (ICO) released new guidance on data anonymisation. Effective anonymisation techniques can be used to draw data outside the scope of the UK GDPR and facilitating data sharing without compromising privacy. The guidance outlines the ICO’s key principles and techniques for anonymising data, summarised below.

What is anonymisation?

To be effectively anonymised for the purposes of the UK GDPR, data must be manipulated so that the likelihood of a person being identified or identifiable is reduced to ‘a sufficiently remote level’. The ICO acknowledges that anonymisation is not an exact science and instead operates within a ‘spectrum of identifiability’ that changes depending on factors such as technological developments.

Tests for compliance

Two key tests apply to assess whether personal data has been effectively converted into anonymous information.

The test of anonymisation (set out in Recital 26 of the UK GDPR) requires investigating the reasonable likelihood of someone being identified from the data, taking into account:

• linkability (i.e. whether an individual can be identified through multiple records, either across a single system or different systems) and/or singling out (i.e. testing if an individual can be singled out across records, or isolated from a data set), and all objective factors (e.g. costs required, time taken to identify, and available technology for identification attempts).
• Businesses relying on these steps should document their findings to demonstrate effective testing of anonymised data has occurred.

The ICO also requires the "motivated intruder test" is used and recommends results are recorded as part of a risk assessment. Businesses must consider all practical steps and means reasonably likely to be used by someone motivated to identify individuals and, for the purposes of the test, it is assumed that:

• the motivated intruder is reasonably competent,
• the motivated intruder has access to appropriate resources (e.g. the internet), and
• the motivated intruder uses investigative techniques (e.g. making enquiries to people with relevant knowledge about the individual).

The ICO guidance provides further detail on factors to be considered (e.g. the perceived value of the data to the motivated intruder) and obvious sources of information for motivated intruders.

Ongoing obligation to assess

Crucially, compliance is not a one-time event. Businesses must re-assess identification risks following a change in circumstances. The ICO’s guidance includes a comprehensive list of examples when this may be necessary, including if new data sets are released which increase the risk of linkability or where new recipients are going to be granted access to the data.

Balancing your data risk with commercial benefits

Anonymisation provides businesses with a mechanism to leverage the power of their data and effective anonymisation is key to data integrity and compliance. Our Commercial & Technology team specialises in data protection and can advise on GDPR concerns, including anonymisation. If you would like to discuss data matters further, contact our team today at [email protected]. ​​​