You should probably look into pseudononymization in your case, not actual anonymization. Look into C‑413/23 P in more detail to see if it's applicable in your situation, it's essentially the first case law around it. You probably do need some extra controls (like contract that the data is not shared) just in case to avoid the data coming in hands of someone else who could identify the people depending on how detailed the data is.