Practical guide · GDPR
How to anonymise personal data under GDPR: 2026 practical guide
Anonymising personal data sounds simple until a document full of names, ID numbers, addresses and licence plates lands on your desk and needs to be published or shared. The General Data Protection Regulation (GDPR) requires that such information cannot identify anyone, even when combined with other sources. This guide covers what proper anonymisation means in 2026, how it differs from pseudonymisation, which techniques exist and how to apply them step by step.
What the GDPR says about anonymisation
The GDPR (EU Regulation 2016/679) treats as personal data any information about an identified or identifiable natural person. If data is truly anonymised, it stops being personal data and falls outside the regulation (Recital 26). The catch is "truly": anonymisation must be irreversible. If someone can re-identify the person with reasonable effort — by cross-referencing public sources, for example — that is not anonymisation, it is pseudonymisation.
Anonymisation vs. pseudonymisation
- Pseudonymisation: the identifier is replaced with a code or token. It can be reversed with the key. Still personal data, still under the GDPR.
- Anonymisation: the information is removed or transformed so that no one can be re-identified, even by combining datasets. No longer personal data.
Many projects believe they are anonymising when in fact they are pseudonymising. It is a classic mistake and one of the most common reasons for GDPR fines.
The three risks anonymisation must eliminate
- Singling out: being able to isolate records that belong to a single person.
- Linkability: being able to link two records to the same individual.
- Inference: being able to deduce with high probability the value of an attribute.
If your technique does not eliminate all three, it is not full anonymisation.
Most common anonymisation techniques
1. Suppression (redaction)
Removing the data outright: names, ID numbers, addresses, licence plates, IBAN. This is the standard for court rulings, administrative decisions and case files. It must be applied to the actual PDF content, not by drawing a black rectangle on top.
2. Generalisation
Reducing precision: replace age 37 with the range "30–40", or postcode SW1A 1AA with "London".
3. Aggregation
Publishing only totals or averages for groups large enough that no one can be identified.
4. Perturbation and noise
Adding random variation to numeric values to prevent re-identification while preserving overall patterns.
5. K-anonymity, l-diversity and t-closeness
Formal models: every combination of quasi-identifiers must occur at least k times, with enough diversity and without bias.
Step-by-step checklist to anonymise a document
- Inventory the personal data: direct identifiers and quasi-identifiers.
- Decide the purpose: transparency portal, open data, model training…
- Choose the right technique: suppression for legal documents, k-anonymity for datasets.
- Apply it to the actual content, not just visually. In PDFs, delete the text layer.
- Assess the re-identification risk using public sources.
- Document the process: fields, techniques, criteria, who and when (Art. 5(2) GDPR).
- Review periodically: what is anonymous today may not be tomorrow.
Common mistakes
- Covering with black rectangles without deleting the underlying text layer.
- Leaving document metadata (author, path, revision history).
- Anonymising the name but leaving ID number, plate or exact address.
- Publishing a dataset with postcode + date of birth + sex (identifies >80 % of the population).
- Confusing pseudonymisation with anonymisation in the record of processing activities.
Automating anonymisation with AI
Doing all this by hand across hundreds of files is not feasible. Tools like anonimIA use entity recognition models to automatically detect and remove names, ID numbers, addresses, plates and IBAN directly on the PDF text layer, preserving the layout and producing an auditable log.
Conclusion
Real anonymisation is not scribbling out: it is transforming the document so that no identifiable person survives the process. Pick the right technique, assess the risk against today's data sources, and document every step.
Do you anonymise documents daily?
Stop redacting by hand. Automate it with anonimIA.
Upload your PDFs and get GDPR-compliant anonymised documents in seconds.
Try it free