What is pseudonymisation (and why is it NOT anonymisation)?

Pseudonymisation (GDPR Art. 4(5)): personal data is processed such that it can no longer be attributed to a specific data subject without the use of additional information (the key). The key is stored separately, with technical + organisational measures against linking. Important: pseudonymisation = still personal data = full GDPR applies. Comparison: customer number "K-9842" in databases + separate table saying "K-9842 = Jan Jansen" = pseudonym. On its own K-9842 not identifiable, but with key yes. Anonymisation = complete + irreversible removal of re-identification. GDPR does NOT apply. But real anonymisation is hard — recent research shows even "anonymised" datasets are often re-identifiable via combinations (Sweeney 2002 showed 87% identifiability with combination of postal code + DoB + gender). Why still pseudonymise? GDPR favours pseudonymisation (Art. 25 + 32): fewer basis requirements for further processing, lower fine risks on breach (encryption/pseudonymisation can exempt Art. 34 individual notification). What must be done? Limit access to key, audit logging, strong encryption, limited key holders, deletion at contract end.