Data masking (or suppression) for GDPR
To best understand data masking, you'll want to first have a quick overview of pseudonymisation, since data masking represents the "de fact standard" of pseudonymisation. Pseudonymisation is a technique used to swap some sensitive areas of a data record with pseudonyms, which is aimed at reducing the risk of a data subject (person) being identified.
Data masking is popular for many applications, especially in non-production environments, like those used to develop and test software, train staff/systems or analyze information. Data masking solutions work similarly to pseudonymisation. They replace the sensitive data in a record with fictitious yet realistic data, which neutralizes the data and minimizes the risk of the original subject being identified. However, at the same time, this method is able to preserve the data's value for non-production use.
Data masking is often used when alternative techniques, like encryption, simply would not be successful. With encryption, for instance, anyone with the right keys will be able to gain access to sensitive data. With data masking, the data is irreversibly transformed into non-sensitive data.
This method, like pseudonymisation, requires a "data first" approach in order to produce good results. Organizations are facing more and more challenges as they begin trying to become compliant with the GDPR. With a data first approach, they'll be able to develop a greater awareness of how their data is changing and moving with time, and how they can better control it.
With the GDPR, many organizations are also gaining new insight into just how much information they have at their disposal and how they can be utilizing it to improve their business. However, they must also be protecting that data. When it comes to achieving pseudonymisation with data masking, organizations will be most effective if they address key questions, like the what, where, and why.
Figuring out what data your organization has and where it is stored is important for data masking. Most organizations create multiple copies of production environments to develop, test, backup, and report various tasks. In fact, such environments can account for up to 90% of an organization's stored data and it can be spread across many different sites. Locating your data and identifying what needs to be kept and protected, and what can be disposed of, is the first step.
The next step is figuring out how your organization delivers data. This is importance since many existing approaches are resource-intensive and involve slow coordination amongst multiple staff members. Adding pseudonymisation into the mix will only make cumbersome data delivery even more of a burden. This is what leads most organizations to abandoning the work it takes to implement data masking. You'll want to streamline your data delivery if you are planning on using data masking.
For most organizations, the GDPR has created an imperative for them to evaluate and update their data storage and management methods. More critically, it is also ushering a wave of IT innovation so that organizations can ensure compliance, data privacy, and reduce the risk of data leaks at the same time--all while accelerating their business' critical initiatives.
Data masking technology has been around for a very long time, which begs the question: Why are so many companies failing to use it or choosing not to? The reasoning is actually very simple. Traditionally, these methods have been highly manual and complex to deal with. However, with the GDPR on the horizon, it is encouraging new approaches that will make data masking and similar methods easier to implement.
Many platforms have already launched that aim to make data management and storage a more secure and streamlined process. In the coming years, these platforms are expected to flourish as more organizations begin switching to them for reasons that go far beyond lawful GDPR compliance.
You Might Be Interested in Reading These Articles
Data encryption is a critical part of GDPR compliance although there are no explicit GDPR encryption requirements. The regulation vaguely states that businesses must enforce safeguards and security measures to protect all consumer data that they handle. The GDPR refers to pseudonymization and encryption as “appropriate technical and organizational measures.
Published on May 16, 2018
The year 2018 will, at least in Europe, be a turning point for data privacy and personal information protection. In this article, I will focus on personal data processing. I describe methods of de-identification of personal data, such as pseudonymization, anonymization, and encryption.
Published on November 28, 2017
TeskaLabs and University hospital in Pilsen launches a pilot of zScanner - open source mobile app for medical photo documentation
zScanner is a mobile application for clinical and medical photo documentation. zScanner enables doctors and nurses to take photos of patient medical records, and of injuries of the patients, and upload them to a hospital information system. zScanner is an application created by the Institute of Clinical and Experimental Medicine in Prague (IKEM), a major Czech hospital, and the largest center of clinical and experimental medicine in the Czech Republic. During the pilot in the University hospital in Pilsen, zScanner is used at a Clinic of Oncology and Radiotherapy, and at the Clinic of anesthesiology, resuscitation and intensive medicine.
Published on September 17, 2020