Why companies need pseudonymisation and data masking for GDPR compliance

The introduction of the EU’s General Data Protection Regulation (GDPR) places strict controls on businesses that collect, use, and share data from European citizens.

Companies – EU-based or otherwise – face new requirements that compel them to rethink their approaches to customer privacy and implement new protections. In fact, a new term ‘pseudonymisation’ has been introduced to recognise and encourage the protection that can be afforded to personal data through the use of measures like data masking technologies.

Pseudonymisation is an umbrella term for approaches like data masking that aim to protect confidential information that directly or indirectly reveals an individual’s identity.

The GDPR punishes businesses that fail to protect personal data in keeping with its requirements, and encourages the use of pseudonymisation technologies, as a part of its security requirements. The fine for non-compliance can be harsh, as much as 4% of global turnover, enough to jeopardise ongoing European operations for any business selling in the EU.

How does pseudonymisation help businesses to comply with the GDPR?

The GDPR contains an express legal definition of ‘pseudonymisation’, describing it as: 'the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person.'

> See also: If you're still not prepared, don't panic: here's a GDPR 101

Put more simply, the GDPR explains that pseudonymised data is data held in a format that does not directly identify a specific individual without the use of additional information, such as separately stored mapping tables.

For example, 'User ABC12345' rather than 'James Smith' – to identify 'James Smith' from 'User ABC12345', there would need to be a mapping table that maps user IDs to user names.

Where any such matching information exists, it must be kept separately and subject to controls that prevent if from being combined with the pseudonymised data for identification purposes. Data masking and hashing are examples of pseudonymisation technologies.

Pseydonymisation and data masking technology

Data masking essentially means the ability to replace a company's sensitive data with a non-sensitive, 'masked' equivalent while maintaining the quality and consistency needed to ensure that the masked data is still valuable to operational analysts or software developers.

Although vendors such as Delphix have provided this technology for some time, the GDPR, which becomes law in 2018, dramatically elevates its relevance and importance.

Data masking represents the de facto standard for achieving pseudonymisation, especially in so-called non-production data environments used for software development, testing, training, and analytics. By replacing sensitive data with fictitious yet realistic data, masking solutions neutralise data risk while preserving the value of the data for non-production use.

Alternative approaches such as encryption fail across key dimensions. Chief among these is its vulnerability to identity breach, insider threats, or other scenarios in which actors obtain decryption keys: anyone with the right decryption keys can walk past encryption defences and gain access to sensitive data.

In contrast, data masking irreversibly transforms sensitive data to eliminate risk from insider and outsider threats alike.

EU GDPR requires a data-first approach

While data masking provides organisations with a tool that fits key challenges emerging from the GDPR, businesses must apply it with a “data first” approach that involves greater awareness of how data changes and moves over time, and how to better control it.

Specifically, businesses will be most effective in achieving pseudonymisation through masking if they address the following questions:

Where is your data?

Enterprises create many copies of their production environment for software development, testing, backup, and reporting. These environments can account for up to 90% of all data stored and are often spread out across multiple repositories and sites.

> See also: Why the GDPR means a drastic change for identity governance

Businesses that understand where their data resides – including sensitive data located in sprawling non-production environments – will be better equipped to allocate protective measures.

How do you govern your data?

Very few organisations have a Chief Data Officer or Chief Privacy Officer. Even those that do may not have adequate control over how data is moved and manipulated because individual business units – each with their own administrators, IT architects, and developers – often define data-related processes at the project level, with little or no corporate policy enforced or even available.

Businesses addressing the GDPR must take steps to regain data governance and introduce tools that drive greater visibility and standardisation into processes such as data masking.

Sourced from Jes Breslaw, EMEA director of strategy, Delphix

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...