Anonymization unfortunately is completely broken under GDPR. In principle it providesa clean path for personal data to become usable outside of the restrictions of GDPR, but in practice it turns out to be impossible based on current definitions.

The key issue is that anonymization under GDPR requires that a link to a real person can never be re-established even considering the person doing the anonymization. Consider a clincial study on 100 patients and their some diagnostic parameter such as creatinine or H1bc which was legally collected using consent and everything. Lets assume we would like to share only the 100 values of the diagnostic without any personal data. It would seem quite anonymous, but GDPR would put a simple test if anybody using reasonable efforts could re-establish an identity. And sure the original researcher can because s/he has a master file containing the mapping. So the data isn't anonymous and actually can never be anonymous.