Today’s world is marked by the progress made towards the free flow of open data. This results in new challenges for data protection mechanisms, as using public datasets can lead to serious privacy breaches. To mitigate these risks, data can be anonymised. However, with the growing efficiency of re-identification attacks on anonymised data, non-personal data can be transformed into personal data. This leads to legal uncertainty for the researcher undertaking re-identification attacks. This paper tries to analyse the status of ill-anonymised data and the consequences of re-identification attacks, with regard to the GDPR. To answer these questions, we have analysed the GDPR and some national DPA’s opinions and guidelines. We have drafted recommendations on the pressing need for guidelines to provide researchers carrying out such attacks with some legal certainty.