In its latest plenary session, the European Data Protection Board (EDPB) announced the publication of guidelines on data pseudonymisation, one of the key pillars of the GDPR. Additionally, the EDPB addressed the intersection of data protection and competition laws, highlighting the need for more effective regulatory cooperation in the future.

The guide can be found here:
EDPB Pseudonymisation Guidelines

These guidelines are open for public consultation until February 28, 2025. This is an important step for companies, governments, and specialists to provide their insights; something quite similar to what happens in Brazil when the National Data Protection Authority (ANPD) launches a public consultation.

So, what's in the guide?
The guidelines provide insights on how to apply pseudonymisation as a security measure for the protection of personal data. Key highlights include:

• Risk Reduction: Pseudonymisation makes it harder to identify individuals, and in the case of data breaches, mitigates the impact on data subjects.

• Compatibility with Legitimate Interests: When properly applied, it facilitates the use of data under Article 6(1)(f) of the GDPR, ensuring that original purposes are respected.

• Technical Implementation: The guide outlines techniques like encryption, lookup tables, and measures to prevent unauthorized re-identification. While it provides only a high-level overview in its 46 pages, it points to the range of possibilities. Modern AI tools offer far more capabilities than the traditional methods of two decades ago.

• International Transfers: Pseudonymisation can serve as a supplementary measure to ensure compliance in cross-border data flows, especially when dealing with countries lacking adequacy decisions that pose increased risks.

In Brazil, pseudonymisation also plays a central role under the LGPD, being highlighted as a key measure for security and risk mitigation. The 2025/2026 regulatory agenda of the ANPD, recently announced, prioritized the topic of anonymisation under Item 10.

See the agenda here:
ANPD Regulatory Agenda 2025/2026

While the concept of pseudonymisation may still create uncertainties for some businesses, it’s essential to understand that pseudonymised data remains personal data as long as it can be linked back to an individual. This critical point is emphasized by both the ANPD and the EDPB.

For example, when symmetric encryption is used on personal data, the encrypted data can still be reversed and linked back to an individual, enabling identification. This differs from anonymisation, where all references to an individual are permanently removed, making re-identification impossible.

The Strategic Importance of Pseudonymisation

By adopting measures like pseudonymisation, companies not only comply with regulations but also build trust with their customers and stakeholders, demonstrating a commitment to privacy and security.

Pseudonymisation is not just a legal requirement; it is a strategic tool that transforms how we handle personal data. It bridges the gap between innovation and compliance, enabling organizations to maximize the value of their data while safeguarding individuals' rights.

If your company seeks to align with global best practices, these guidelines are an excellent starting point.