ICO Anonymisation Guidance –Implications and Recommendations

Ross Webster

5 min read
ICO Anonymisation Guidance –Implications and Recommendations
Photo by Chiamaka Nwolisa / Unsplash

29 April 2025

Executive Summary

On March 28, 2025, the UK Information Commissioner's Office (ICO) published its long-in-draft and equally long-awaited new guidance on anonymisation practices. The guidance provides much needed clarity on how the ICO interprets the tricky concept of anonymity, will help organisations determine whether data they handle is subject to UK data protection laws, and offers both opportunities and challenges for organisations engaged in anonymisation processes. By providing clearer standards for compliance in real life, the ICO’s guidance represents practical instruction for organisations to ensure responsible data sharing, especially concerning the public dissemination of data. 

The guidance adopts the classic ICO-style pragmatic, risk-based approach to anonymisation that focuses on what is "reasonably likely" rather than what is theoretically or logically possible. Under the UK GDPR at least, the idea of ‘absolute anonymity’ is now fully defunct. As with nearly everything else in privacy, anonymisation is contextual. 

Background

The distinction between personal and anonymous data has long been crucial for regulatory compliance, as truly anonymised data falls outside the scope of the GDPR entirely. However, achieving effective anonymisation while maintaining data utility (which are inversely proportional) has been challenging for organisations, with previous guidance often lacking sufficient clarity on practical implementation. This new guidance aims to address these gaps while recognising the contextual nature of identifiability.

Key Components of the ICO Guidance

The guidance covers a wide range of issues associated with anonymisation, starting with clear definitions that distinguish between anonymisation, pseudonymisation, and de-identification—three terms often incorrectly used interchangeably. The guidance explicitly cautions against using the term "de-identified", noting it lacks formal definition in UK GDPR. 

The guidance also assesses practical implementation through a context-specific lens. It examines how the same dataset might be considered identifiable or anonymous depending on who holds it and what additional information they possess. This represents a significant evolution from more absolute approaches to anonymisation seen in earlier regulatory positions.

At its core, the guidance establishes a reasonable likelihood standard for evaluating re-identification risks. Organisations need only consider what is realistically possible given available resources, motivations, and technical capabilities—not every theoretical possibility. This pragmatic stance acknowledges that perfect anonymisation is frequently unattainable and confirms that data protection law shouldn't demand it.

The guidance also provides practical techniques for implementing effective anonymisation and pseudonymisation techniques, covering methods like data masking, perturbation (adding statistical noise), aggregation, and statistical approaches such as k-anonymity, l-diversity, and t-closeness. Each technique is presented with its strengths, limitations, and appropriate use-cases.

The ICO introduces another new privacy assessment document (to be filed alongside transfer impact assessments, data protection impact assessments, AI impact assessments, and so on), the identifiability risk assessment, which sets out the type of factors and risk calculus that controllers should consider when deciding whether any given data set meets the threshold of true anonymity. Importantly, for ongoing compliance, the guidance establishes clear expectations for regular reassessment. It recognises that anonymisation is not a one-time exercise but requires vigilant monitoring as re-identification techniques advance, new complementary datasets become available, and processing contexts evolve.

A Spectrum of Identifiability:

At the heart of the ICO's guidance is the "Spectrum of Identifiability." Rather than treating data as either fully personal or fully anonymous, the ICO recognises that identifiability exists on a spectrum that shifts according to context and circumstances (Figure 1). 

diagram

This spectrum acts as a sliding scale: on one end lies clearly identifiable personal data (e.g. containing names, addresses, or unique identifiers), while on the opposite end sits truly anonymous information that cannot be linked to individuals. Between these poles exists a dynamic range where data may move back and forth depending on changing factors.

The ICO's approach acknowledges that what constitutes anonymous data in one context may become identifiable in another. For example, birth year information might allow singling out an individual within a family but not within a larger population dataset. Similarly, data that was once sufficiently anonymised might become identifiable as new technologies or complementary datasets emerge.

This context-dependent framework applies a reasonable likelihood standard, explored through the concept of a motivated intruder–the essential question being: ‘is it reasonably likely that a motivated intruder is able to reidentify a data set.’ Organisations need not account for every theoretical re-identification possibility, only what is reasonably likely given specific circumstances. The ICO acknowledges that reducing identifiability risk to zero is often impossible and not legally required under UK GDPR.

The guidance clearly distinguishes between anonymisation (which places data outside GDPR scope entirely) and pseudonymisation (where data remains personal but with enhanced protections). 

Risk Implications for Businesses

The guidance presents both opportunities and risks:

Opportunities include:

  • Greater legal certainty for compliance;
  • Potential expansion of anonymised data usage;
  • Reduced compliance burden for truly anonymised datasets;
  • Easier data sharing; and
  • Lower risks in anonymised data sets. 

Risks include:

  • Ongoing reassessment obligations;
  • Incorrect application of the guidance could lead to regulatory action;
  • Shifting from absolute to contextual standards may create implementation challenges.

Businesses must particularly note the ICO's emphasis on documenting methodologies, maintaining separate registers for anonymised datasets, training staff on re-identification risks, and reviewing datasets regularly.

Divergence from EDPB Guidance

It's important to recognise that the ICO's pragmatic approach creates notable divergence from the European Data Protection Board's (EDPB) current guidance on anonymisation and pseudonymisation. While the ICO embraces a context-dependent framework that focuses on what is "reasonably likely," the EDPB generally adopts a more absolute standard. The EDPB's approach often considers any theoretical possibility of re-identification—no matter how remote—as sufficient to classify data as personal, creating a much higher and complex bar for data to be considered truly anonymous.

This regulatory divergence creates particular challenges for organisations operating within the UK and EU jurisdictions. A dataset deemed sufficiently anonymised under the ICO's guidance might still be considered personal data under the EDPB's more stringent interpretation. This distinction reflects the UK's post-Brexit move toward a more risk-based, contextual implementation of data protection principles that aims to balance privacy with innovation and practical implementation. Organisations must carefully consider these differences when developing cross-border data strategies, potentially implementing different standards for UK and EU operations.

Recommendations for Lucid Clients

We recommend that Lucid Clients review any existing anonymisation and pseudonymisation techniques against the new contextual approach. Specifically:

  • Document everything: Create comprehensive records of anonymisation methodologies, identification risk assessments, and decision-making processes.
  • Implement strong governance structures: Establish clear ownership of anonymised datasets with regular, ongoing review cycles.
  • Train relevant staff: Ensure teams understand the distinction between anonymisation and pseudonymisation, and the contextual nature of identifiability.
  • Reassess regularly: Schedule periodic reviews of anonymisation measures as technologies, available data, and processing as contexts evolve.

Conclusion

The ICO's guidance represents a balanced approach that acknowledges the relative nature of anonymisation while providing practical standards for compliance. By adopting a risk-based methodology focused on reasonable likelihood rather than theoretical possibilities, organisations have an opportunity to expand their use of anonymised data while maintaining robust privacy protections. Implementing the recommendations above will help organisations navigate this evolving regulatory landscape effectively.

Sign up for more like this.