As the current EU data protection directive was introduced some twenty years ago an overhaul is long overdue and now we’ve learned that the EU data protection reform is expected by the end of the year.
With over 4,000 amendments put forward, the final picture of how it will impact on data management is less than clear but one area that organizations will have to address is the use of production data for development, testing, QA and even training. It’s not uncommon for copies of production data to be stored and distributed yet it may not be possible when new regulations come into play.
Personally identifiable information should not be transferred into non-production environments. The temptation to do so has come about because production data is ‘referentially intact’ i.e. it will perform as live data does.
Data masking is an obvious step but back in 2012 in the UK, the Information Commissioner’s Office warned that: “...the concept of ‘identify’ – and therefore of ‘anonymise’ - is not straightforward because individuals can be identified in a number of different ways...In reality it can be difficult to determine whether data has been anonymised or is still personal data.”
With non-compliance fines proposed at up to 5% of annual worldwide turnover or €100m, organizations may now look to eliminate risk. Synthetic test data may have the edge over data masking techniques as it models existing data and generates dummy data that is referentially intact but with no sensitive content.