On May 4, the second day of the DSAG-Technologietage 2022 in Düsseldorf, which was finally an attendance event again, our partner lecture with the title "Data anonymization in non-productive systems - The challenges of these projects" took place as well.
The fact that the topic of test data management with realistic, but not real data, is present in companies is outlined by the fact that about 70 interested people found their way into our lecture.
Because data nowadays occupies an increasingly central position within companies, its value for companies was first considered, because not only, but also via Big Data technologies it is possible to store and process huge amounts of data, which of course also contain a large proportion of personal data. It is well known, however, that the storage and processing of this special data is subject to strict legal regulations.
Per se, the storage of personal data is initially prohibited, but as always, exceptions are permitted. One such exception, as it is usually implemented today, is a purpose-related consent reserved for the implementation of a business relationship - for example, for the implementation of an order, the provision of a service or the sending of a newsletter.
Using personal data in test, QA or development systems is extremely critical. This applies not only to SAP systems, but also to all other systems . Even consent does not allow processing of such sensitive data in these systems, because consent is usually collected for a specific purpose; this does not automatically include test, QA and development systems.
The solution to escape this dilemma is to alienate data. The EU GDPR does not specify how data is to be protected, but it does mention possible procedures such as pseudonymization (Article 4 sentence 5 EU GDPR).
However, pseudonymization is only one form of anonymization. Another, special type is data masking. Both can be implemented with our solution Libelle DataMasking. In addition, there are other approaches, such as the encryption or even deletion of data.
And this is where the challenges in projects already become apparent. Because often the many people involved in a project have very different point of views on how the project should be implemented. It can happen that one group of participants values that, for example, only names should be alienated, but not the address data. Another group wants to be able to find their test cases even after anonymization. A third group demands uniqueness of the alienated data, such as business partners.
A certain pragmatism is indispensable for the project flow. Of course, there are stumbling blocks in every project, that is completely normal. But the project structure alone is important. Spread the responsibility for the project over as few shoulders as possible. That way, you can be sure that all information flows through that central person and interface.
Today, it can be surmised that personal data can be found in almost every system in an organization. This means that these systems in non-productive environments also come into focus for data anonymization. However, our experience shows that it makes more sense to first define the systems that are really relevant. An iterative approach is much more efficient. After all, a project is not finished when the final decision for a software, such as Libelle DataMasking, is made. Iterative validation of test systems, anonymized data, etc. is therefore mandatory for project success.
In addition, the data relevant for anonymization should be divided into profiles. Examples of such profiles are:
Read more about this in our blog post on "What is test data management (TDM) actually?" or do the Libelle Data Privacy Quick Check for your test data management. Would you like to learn more about data anonymization? Then feel free to visit our corresponding blog category.