That will be task for auditors. visually you cannot even distinguish hash from token (as long as you don’t disclose hashing algorithm). So I’m not about pretending being compliant with gdpr, but about being compliant with gdpr 
1 Like