Personal data processed so identification requires additional separately-held information, but remains reversible.
Pseudonymous data is personal data where direct identifiers have been replaced with artificial identifiers (pseudonyms), but the data can still be attributed to a specific individual using additional information held separately. Unlike anonymised data, pseudonymous data remains personal data under DPDPA because re-identification is possible. It is considered a security safeguard — reducing risk without eliminating DPDPA obligations.
Pseudonymisation reduces breach impact and demonstrates security safeguards to the Data Protection Board, but does not exempt you from DPDPA compliance. It is a risk mitigation tool, not a compliance shortcut.
A Kochi fintech replaces customer names with UUIDs in its analytics database but maintains a separate mapping table. This is pseudonymisation — the analytics database is still personal data because re-identification is possible via the mapping table.
Pseudonymisation is often confused with anonymisation. Unlike true anonymisation, pseudonymised data is still personal data under DPDPA and all obligations continue to apply.
DPDPA Shield automates Data Inventory & RoPA. See how →