On 18 May 2026, InDiCo-Global hosted a webinar marking a significant milestone: a decade since the adoption of the GDPR. The session – “GDPR and Anonymisation: From Legislation to Technical Solutions and Standards Definition” – brought together experts in consumer advocacy, legal practice, technical standardisation, and data consultancy to examine how anonymisation is understood and applied in practice, and whether current approaches are keeping pace with technological change. 

The discussion showed that anonymisation is not only a technical question. It sits at the heart of law, consumer protection, organisational responsibility, and standards development. While the GDPR remains deliberately technology-neutral, speakers highlighted that the lack of concrete guidance leaves both consumers and data controllers facing significant uncertainty.  

The webinar was welcomed and introduced by Francesco Panella, policy analyst and consultant at Martel Innovate, with Xavier Piednoir, InDiCo-Global’s project coordinator, framing the session’s core themes. Xavier noted that data protection is not an EU-only challenge but reflects EU values that InDiCo-Global seeks to embed in digital standards – and that digital issues do not recognise borders. 

A decade on: taking stock 

The session explored the historical relationship between the GDPR’s development and data anonymisation practices of the time – examining the extent to which legislation and technical innovation have evolved in step since. The answer, across perspectives, was mixed. The GDPR established a landmark framework, but its deliberately technology-neutral design left critical implementation questions unresolved, and both legal and technical standards have struggled to keep pace with the evolving data landscape. As Xavier observed, ten years on, the field is still working through those same foundational questions. 

The consumer perspective 

Chiara Manfredini, legal and policy officer at the European Consumer Organisation (BEUC), representing over 40 member groups, opened by underlining the power that sits within a single legal definition. The GDPR applies only when personal data is processed – meaning that without that classification, the protection of data granted by the Regulation does not apply. The definition of personal data is the starting point of all protection. 

The GDPR does not explicitly define anonymous data, leaving the boundary between anonymous and pseudonymous data to case-by-case assessment. The European Commission’s Digital Omnibus proposal of November 2025 attempted to bring clarity, but the European Data Protection Board and European Data Protection Supervisor (EDPB and EDPS) warned that the proposed changes would risk narrowing the concept of personal data. 

The controller perspective 

Dr. Magdalena Góralczyk, head of Data Protection at White Label Consultancy, brought the controller’s perspective to the table. Working primarily with large global organisations, she observed that companies and consumers are united by the same frustration: the boundary between personal and anonymous data remains contested – both legally and technically. 

The GDPR presents controllers with a binary system: either data is personal, and the full weight of the regulation applies, or it is anonymous, and the law does not apply at all. There is no middle ground, no intermediate framework, and no official guidance on what constitutes sufficient anonymisation. Controllers must make that determination themselves, daily, with serious legal consequences if they get it wrong. 

She outlined four categories of technical measures available: 

• Reducing direct identifiability: hashing, masking, tokenisation, and encryption – universally understood to produce pseudonymous rather than truly anonymous data. 
• Reducing indirect identifiability: addressing quasi-identifiers such as postcode combined with age, which can identify individuals within larger populations. 
• Privacy-preserving models: differential privacy and synthetic data generation, which enable analysis without exposing individuals – though recent research has shown that even synthetic datasets can be reverse-engineered to recover original data. 
• Organisational and architectural measures: contractual restrictions and encryption without decryption keys, which modify the data environment rather than the dataset itself. 

Best practice involves combining measures across all four categories, but stronger protection typically means reduced data utility. However, the absence of a legally recognised technical framework to define how data anonymisation should be performed, creates uncertainty for the controllers. 

The legal perspective 

Frederick Richter, director of the German Foundation for Data Protection, explored the legal landscape around anonymisation. Despite being central to how the GDPR works in practice, anonymisation is never explicitly defined or guided in the regulation itself, while pseudonymisation receives explicit treatment, and is discussed in the 2025 Guidelines on pseudonymisation by the EDPB. This means organisations that want to anonymise data responsibly currently have no legally certain rulebook to follow. The picture is further complicated by the arrival of the Data Act, which introduces overlaps with the GDPR.  

The most recent dedicated guidance on anonymisation, dating back to 2014, predates the GDPR, and while the EDPB has been working on an update, it is not available yet. Organisations therefore need to make their own judgment calls. 

Legal certainty: a shared interest 

One of the key take-home messages of the panel, is that clarity and legal certainty are a common interest for the key actors affected by data protection policies and legislation. In a clear regulatory framework, all actors can benefit – data controllers can ensure compliance and act responsibly, data subjects are aware of their rights, and enforcement authorities can have a clearer mandate to examine good and bad practices. 

There was also an important convergence across perspectives: the GDPR is not a prohibition on data processing, but a framework for doing it safely. Legal certainty is ultimately good for everyone – if companies can comply clearly and confidently, consumer trust follows. 

Looking ahead 

The webinar concluded with a key message: the primary challenge for consumer protection is not a lack of rules, but rather the need to ensure robust enforcement and provide updated practical guidance. Speakers called for closer collaboration between legal and technical communities. Updating the EDPB’s anonymisation guidance – on a European rather than national level – was identified as a priority. 

Missed the webinar? Watch the recording here.

Access the Presentations here:

• From Identifiable to Anonymous: How Technical Measures Reshape the Legal Status of Personal Data by Magdalena Góralczyk, White Label Consultancy
• Standards and legal perspectives on anonymisation by Frederick Richter, LL.M.