My business recruits people for focus groups and one of our main selling points is that we ensure that recruits don't see the same researcher more than once.
Often we will be given customer lists from our clients where a condition of the job is that we delete the user records at the end of the project. Whilst we are able to keep the associated data that ties them to a project (for business stats etc.) we need to remove identifying & contact information -> Email address and phone numbers being how we identify a specific persons account.
My issue is: What can i do to ensure that, if these deleted users show up in my system again, that I can identify their association with old projects / focus groups, so that we can prevent these deleted users from signing up again and being placed in a focus group with a researcher they have already seen.
My first thought was, upon "deletion", to hash their email address and remove the plaintext address, and check this hashed address against new accounts, to link their old db associations with this new account.
I am fairly new to security / privacy concepts, so I'm not sure whether this would be secure, or if being able to identify the link to the old account is a violation of privacy.
You're on the right track here. Hashing the email address or phone number means that you've effectively put that data "beyond use". So long as you delete all the other data relating to it, it does not represent "personal data" in the GDPR sense.
Also consider the basis for processing – if you are legally obliged (either by statute or by the original contract with your users) to implement this suppression mechanism, then you would be permitted to do so even if it was personal data.
Note this email marketing industry body that recommends and promotes hash-based suppression lists, and this site suggesting the same.