User Pseudonymisation
Pseudonymisation is a data protection feature that helps your organisation comply with GDPR by replacing personal information with artificial identifiers. This ensures user privacy whilst retaining valuable data for reporting and analytics.
This article explains how pseudonymisation works, how to configure it, and what happens to user data when it's applied.
Overview
Pseudonymisation safeguards personal information by replacing identifiable details with generic placeholders. For example, instead of storing "Jane Smith" and "jane.smith@company.com", the system stores "User123" and a placeholder email address.
This feature helps your organisation:
Protect User Privacy — Align with GDPR by removing personally identifiable information after users are no longer active
Maintain Analytics — Continue using pseudonymised data for aggregate reporting and decision-making
Automate Compliance — Set it and forget it with configurable automatic pseudonymisation
⚠️ Warning: Pseudonymisation is irreversible. Once applied, a user's personal data cannot be restored. Review your configuration carefully before proceeding.
Functionality Breakdown
What Gets Pseudonymised
Data Type | What Happens |
|---|---|
First Name | Replaced with generic identifier |
Last Name | Replaced with generic identifier |
Replaced with placeholder email | |
Bio | Removed |
Job Title | Removed |
Profile Picture | Removed |
Custom Fields | Not affected (can be used for re-linking) |
1-to-1s | Optionally deleted (configurable) |
Automation Options
Automatic pseudonymisation — Deactivated users are pseudonymised after a configurable delay (1–7 years)
Manual pseudonymisation — Owners can pseudonymise any user immediately via the user interface
Delay Period Limits
Limit | Reason |
|---|---|
1 year minimum | Accounts for scenarios like parental leave, preventing accidental pseudonymisation of users who may return |
7 years maximum | Aligns with GDPR's principle of limiting data retention to what is necessary |
Pre-requisites
Role Requirements
Action | Required Role |
|---|---|
Configure automatic pseudonymisation | Owner |
Manually pseudonymise a user | Owner |
View pseudonymisation settings | Owner |
💡 Tip: This feature is restricted to Owners only due to its irreversible nature and GDPR implications.
Quick Start Guide
Configuring Automatic Pseudonymisation
Navigate to Settings from the sidebar.
Select Company settings.
Go to People > Data Protection.
Locate the Automated Pseudonymisation option.
Enable the setting and choose your delay period (1–7 years).
Optionally, tick Delete a user's 1-to-1s when they are pseudonymised if required.
Click Save to apply your changes.
⚠️ Warning: Consider your organisation's data retention policies carefully when setting the delay period.
Manually Pseudonymising a User
Navigate to People > Individuals from the sidebar.
Find the user you want to pseudonymise.
Click on the user to open their profile.
Select Anonymise User from the available actions.
Confirm the action when prompted.
⚠️ Warning: This action is immediate and irreversible. Double-check you have selected the correct user.
How It Works
Trigger: Pseudonymisation occurs either automatically (after deactivation date + delay period) or manually via the user interface.
Processing: Personal identifiers are replaced with generic placeholders.
Timestamp: A confirmation timestamp is recorded when the process completes.
Data Usability: Pseudonymised records remain available for aggregate reporting and analytics.
Example Timeline
1st January 2025: User is deactivated
Delay configured: 3 years
1st January 2028: User's data is automatically pseudonymised
Alternatively, an Owner can manually pseudonymise the user at any point before the automatic date.
FAQs
Q: Can I restore a pseudonymised user?
No, pseudonymisation is irreversible. Take care when configuring or manually applying pseudonymisation.
Q: Will pseudonymised data still be usable for analytics?
Yes. Pseudonymised data is stripped of personal identifiers but remains available for aggregate reporting and analytics.
Q: Why are the delay limits set between 1 and 7 years?
This range ensures compliance with GDPR and Learn Amp's policies, striking a balance between protecting user privacy and meeting organisational needs. The minimum delay of 1 year accounts for scenarios such as parental leave, where some organisations deactivate accounts temporarily. This helps prevent accidental pseudonymisation of users who may return within this timeframe.
Q: Can I manually pseudonymise a user before the automatic delay?
Yes, you can manually pseudonymise any user at any time via the user interface. This offers flexibility for immediate action.
Q: What records are impacted by pseudonymisation?
Anonymised: First Name, Last Name & Email. Removed: Bio, Job Title, Profile Picture. Optionally: 1-to-1s can be configured to be deleted when a user is pseudonymised (this includes removing 1-to-1 comments, answers, notes and action points, reviewer responses and comments etc).
Q: What if an employee returns, and we need to re-link their account to the pseudonymised data?
The pseudonymisation process does not alter data stored in custom fields. Therefore, if you use a non-personal identifier (e.g. payroll ID or HRIS ID) as a custom field, this can be used to re-link the pseudonymised user data upon the employee's return. It is important to ensure that this identifier cannot be used by Learn Amp to identify the user directly and does not qualify as personal data under GDPR. Always confirm that the identifier is unique to your organisation and does not, on its own, allow for re-identification by Learn Amp.
Q: If a user has added personal information to a 1-to-1 response, will this information be pseudonymised?
Any identifiable information added to 1-to-1 responses will not be automatically pseudonymised, unless the setting "Delete a user's 1-to-1s when they are pseudonymised" is enabled. If this setting is enabled, the related 1-to-1 records will be deleted, including all answers, notes, action points from both reviewee and reviewer etc.
Q: If I enable "Delete a user's 1-to-1s when they are pseudonymised", will I still be able to include these records in 1-to-1 reporting once the user is pseudonymised?
No. These 1-to-1 records will be completely deleted.
Q: If I enable "Delete a user's 1-to-1s when they are pseudonymised", will I still be able to see the reviewer's submission once the user is pseudonymised?
No. These 1-to-1 records will be deleted, including all the information submitted by the reviewer.
Q: What happens if I reactivate a pseudonymised user?
You can reactivate a pseudonymised user, but the fields impacted by the pseudonymisation will not automatically roll back to the original values. If you have retained a non-personal identifier (e.g. payroll ID or HRIS ID) in a custom field, an Admin could still manually edit the first name, last name, and email of the account to restore the original values.
Troubleshooting
Issue | Solution |
|---|---|
Can't find pseudonymisation settings | Ensure you have the Owner role. This feature is restricted to Owners only. |
User was pseudonymised accidentally | Unfortunately, pseudonymisation is irreversible. If you retained a non-personal identifier, you can manually re-enter user details after reactivation. |
Automatic pseudonymisation not triggering | Check that the feature is enabled and the delay period has passed since the user's deactivation date. |
1-to-1s not being deleted | Ensure the "Delete a user's 1-to-1s when they are pseudonymised" setting is enabled. |
Need to re-link a returning employee | Use a non-personal identifier stored in a custom field (e.g. HRIS ID) to identify the pseudonymised record, then manually update their details. |
Unsure what delay period to set | Consider your organisation's data retention policies, typical leave durations, and GDPR requirements. 3 years is a common middle-ground choice. |