Anonymisation is not carte blanche to "go crazy". We need to be very clear what "anonymous" means in a GDPR regime. If there is a 1:1 mapping of cleartext data to masked data it is not anonymised. GDPR identifies this data as pseudo-anonymised and instructs it must be handled as fully fledged PII, due to the proven ease of reconstructing an identity from metadata.
Pre-aggregated, randomised or truncated data is anonymous. Hashed or encrypted data is not. It is pseudo-anomymised only. Pseudo-anonymisation can serve as a an element of defence in depth to support a legitimate purpose justification, but it does not absolve you of responsibilities.
Biting the hand that feeds IT
