Skip to content
  • Homepage
  • Our Solutions
    • Document Storage and Records Management
      • Deed Storage
      • Long Term Storage
      • Media Storage Solutions
      • On Demand Storage
      • Onsite Management
      • Secure Vault Storage
    • AP Invoice Automation Solution
      • Start Your AP Journey
      • E-Invoicing
      • Features
      • ERP Integrations
      • Insights by Industry
      • Why Kefron AP?
      • Pricing
    • IT Asset Disposition Services
      • IT Asset Disposal
      • Hard Drive Shredding Services
      • Secure Data Destruction
      • WEEE Recycling and Electrical Waste Disposal
      • Refurbished IT Equipment
      • IT Equipment Resale and Revenue Return
    • Scanning and Data Capture
      • Scan to Digitise
      • Scan to Process
      • Digital Mailroom
      • Microfiche Scanning
    • Online Document Solutions
      • Online Document
        Management Software
      • Online Document Storage
    • Business Process Services
      • Data Management
      • Data Subject Access Requests
      • Securities and Deeds Management
  • Who We Are
    • About Kefron
    • Who We Are
    • Partners
    • Contact Us
    • Working with Kefron
  • News & Events
    • News & Events
    • Articles & Updates
    • Customer Stories
    • Upcoming Events
    • On-demand Events
    • Select Location
    • Ireland
    • United Kingdom
    • United States
    • Rest of the world
  • Let’s Talk
  • Republic of Ireland website
  • UK website
  • US website
  • Rest of the world website

Data Masking & The GDPR: How will your business be affected?

As the new EU General Data Protection Regulation (GDPR) comes into effect on May 25th, 2018, it introduces substantial changes in data capture, storage, and processing, with a particular emphasis on data masking techniques.

New comprehensive legislation will govern the way businesses must handle and protect personal data, with a specific focus on the privacy and rights of individuals. As such, one of the key areas of focus for the GDPR is data masking, and the new umbrella term – pseudonymisation.

The good news is that if you already have data masking procedures in place, the GDPR could be beneficial. But, if you haven’t thought about masking data before, you’ll need to focus on it now.

Data masking and its uses

Data masking is typically defined as the process by which sensitive, classified or personal data is removed or hidden, and replaced by equivalent random characters, dummy information or fake data.

This ensures that a data set remains intact, but without the sensitive, identifying information that shouldn’t be used or seen by other parties. As such, this process can be used by software developers for building and testing purposes in non-production environments, or by operational analysts who are exploring and experimenting with different data types.

Data masking is also implemented in organisations where different members of staff have different levels of security clearance, so, for example, customer service agents may not be able to see the physical payment details of clients when discussing an account. By hiding sensitive data, a company is less susceptible to data breaches.

In other words, data masking has the potential to protect an individual’s data and privacy, which is the overarching purpose of the GDPR.

Pseudonymisation: the core focus for data under the GDPR

Under the new EU General Data Protection Regulation (GDPR), a new term is introduced to encapsulate procedures like data masking, encryption and hashing that all aim to secure and protect personal information. This umbrella term is referred to as pseudonymisation.

Article 4 defines pseudonymisation as:

“the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”

In practice, this means encrypting or masking data so that on its own, without an encryption key or mapping table, the data could not be used to identify an individual. It would remove any direct identifiers, and should ideally prevent indirect identifiers from being combined and used.

This separate identifying data – like an encryption key – should be kept in a separate location and subject to tight security controls.

Pseudonymised data vs. anonymous data

Despite pseudonymised data removing any direct identifiers, because that information still exists – albeit in a separate, secure form – if it were to fall into the wrong hands it could be used to revert the data to an identifiable form and then acted upon in an inappropriate way.

Therefore, pseudonymised data is still classified as personal data, and cannot be considered anonymous. It’s important to make this distinction, because anonymous data is not subject to the GDPR controls and restrictions, whereas pseudonymised data is.

If the data can be re-identified with reasonable effort, it cannot be regarded as anonymous, despite data masking being used. However, if you were to mask data and then delete the original data set and its identifying information, it would be almost impossible to identify an individual and would thus be classed as anonymous.

The benefits to businesses

Although pseudonymised data is still subject to data protection regulation, it is afforded a new distinct status under the GDPR, which could be beneficial to many businesses.

The current EU Directive on data protection does not recognise any distinction between regular personal data and pseudonymised data. Any kind of data masking is treated the same as raw personal data, and subject to the same, full weight of the law. As such, there is no incentive or regulatory benefit to putting in the extra effort and cost to protect data by masking, hashing or encryption.

The GDPR changes that. It specifically promotes the value and importance of pseudonymisation throughout its articles, encouraging companies to adopt such security measures as soon as possible.

The legislation specifically states:

“The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations.”

Under Article 32 ‘Security of processing’, the GDPR describes how businesses should ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’. The first example of these security measures it includes is pseudonymisation.

It’s clear that this is a central focus of the new law, so how could pseudonymisation be beneficial to a company?

  • The reduction of data breach notification requirements

There are strict new protocols on reporting data breaches under Articles 33 and 34 of the GDPR. If such a breach occurs, companies are responsible for reporting it to both the supervisory authority (within 72 hours) and to all of the individuals who could be affected (without undue delay).

This could be a big burden for businesses, on top of the damage done by a breach in the first place. Along with the financial costs to re-secure data, the requirement to notify individuals could bring about additional reputational damage and associated legal costs.

However, notification to individuals is only required if the breach is “likely to result in a high risk to the rights and freedoms of natural persons.” Article 34 goes on to state that it is not necessary if appropriate protection measures were in place on the personal data, such as encryption.

So by implementing data masking and pseudonymisation, businesses can mitigate the need to notify customers should any breach of data occur, and thus protect their reputation.

  • An easing of data disclosure obligations

As the GDPR places more emphasis on the rights of the individual, much of the law is focused on the ability of a person to request information about what data a company holds on them. This is known as the ‘right of access’, and has the potential to be another large burden for businesses.

However, early interpretations of the GDPR suggest that data disclosure rules are greatly relaxed for pseudonymised data because it is too difficult for a business to identify a single individual.

A business is exempt from data disclosure obligations, including rights to access, rectification, erasure and data portability, if “the controller is able to demonstrate that it is not in a position to identify the data subject”. So, data masking can save a business from a lot of effort and expense.

  • Further use of data beyond its original purpose

Another core feature of the GDPR is the requirement that data is collected only for specific purposes that are clearly explained. The law states that data must not be used in any other way than that which it was originally collected for.

However, if the data has been pseudonymised, there is more leeway for it to be processed in other, additional ways. Article 6 states that several factors should be met for further processing, including “the existence of appropriate safeguards, which may include encryption or pseudonymisation”.

If a business wanted to process personal data for scientific, historical and statistical purposes, the GDPR also requires appropriate safeguards be in place – i.e. pseudonymisation.

  • Additional data profiling options

One final benefit to businesses who implement data masking or other such pseudonymisation is that data profiling should still be possible, without running afoul of the law.

The GDPR makes broad statements about the use of profiling, and goes on to explain that businesses should not make ‘decisions’ about an individual that has a ‘legal effect’ – based on such automated processes – unless a number of legal criteria is met, including the explicit consent of the individual.

This has the potential to have ramifications for analytics and digital advertising. Although the law is somewhat ambiguous, pseudonymised data is likely to reduce any kind of ‘legal effect’ on an individual, and so profiling for analytical purposes should still be permitted.

Data masking and GDPR compliance

The entire General Data Protection Regulations take a ‘carrot and stick’ approach. On the one hand, those businesses who put such ‘appropriate safeguards’ in place will be looked upon favourably. They will have certain requirements relaxed, have more flexibility with their processing, and could be protected from heavy fines if they have the necessary technical and organisational structures in operation. That’s the carrot.

On the other hand, the GDPR provides both regulatory bodies and individuals with additional powers to make data requests and legal claims against those companies which process their data. They have much more clout under the law to act against non-complaint businesses, thus further incentivising companies to protect personal data with procedures such as masking – for both production and non-production.

But the real stick is the heavy fines that can be imposed upon companies who break the law, are subject to data breaches, and do not have any kind of pseudonymisation in place. Those who do not have adequate protection and security could be subject to fines as high as 4% of global turnover. Compliance is, therefore, an absolute must and something which all departments need to understand.

If you don’t have any data masking or pseudonymisation procedures in place right now, it is highly likely that you will need to invest in them for when the GDPR takes full effect in 2018.

Need help getting your business ready for the GDPR? Find all the information you need in our resources collection.

First published November 2016

BlogBusiness Processes

Related articles

Impact of New Digital Legislation on Irish and European Businesses in 2025

BlogBusiness Processes

The 2024 Digital Legislation, including the EU AI Act, Digital Services Act (DSA), NIS2 Directive, and Cyber Resilience Act, significantly impacts Irish and European businesses. Key areas affected include AI regulation, cybersecurity, and platform ac...

Read more

6 Simple Steps To Creating A Paperless Office

BlogBusiness Processes

How can you make the switch to a paperless office? Here are 6 simple steps to help your company make the dream a reality. Read our latest blog.

Read more

GDPR Compliance: One Year On, How Has Your Business Been Affected?

BlogBusiness Processes

Only a year ago, the long-awaited arrival of the European Union’s stringent GDPR final ended, and the business world would never be the same again. But now than the dust has settled, has the expected dramatic shake-up to data protection actually ha...

Read more

GDPR: Non-Compliant Businesses Facing First Fines

BlogBusiness Processes

It is now 6 months since the EU’s new data protection measures, the General Data Protection Regulation (GDPR), finally came into effect. But although May 25th had long been known as the deadline, there are still companies out there who are not yet ...

Read more

Data Protection in Hospitals: How To Rectify GDPR Failings In The Hospital Sector

BlogBusiness Processes

Not every sector has yet complied with GDPR. One of the biggest is the Hospitals Sector, with the Data Protection Commission highlighting 14 matters of concern it has found in hospitals. But while the situation is serious, some key steps are all that...

Read more

Why Maximizing Staff Awareness Is The Key To A Smooth GDPR Transition

BlogBusiness Processes

With D-Day fast approaching, full GDPR readiness should almost be complete. But does your staff really understand their role in the transition? Staff awareness is not only a key part of compliance, it can strengthen your organisation’s long-term po...

Read more

Data Protection Impact Assessments: What Are They and Why The GDPR Insists On Them

BlogBusiness Processes

With the GDPR around the corner, companies throughout Europe have had to re-examine both their business structures and practices. With the new regulations relating to data protection, Data Protection Impact Assessments are set to become compulsory. B...

Read more

5 Benefits Getting GDPR Ready Brings To Your Business

BlogBusiness Processes

For many business owners, the imminent arrival of the EU’s General Data Protection Regulations (GDPR) next year is something that is keeping them up at night. But initiatives associated with getting GDPR-ready are set to also bring real benefits to...

Read more

How CCTV Footage Has Become A Data Protection Matter

BlogBusiness Processes

CCTV used to be considered a solution to security issues. But in recent years, data protection legislation in both the UK and Ireland has reflected concerns over privacy and personal rights. Storing recorded security footage is now considered the s...

Read more

Why Storing Dark Data and Mining Its Secrets Benefits Businesses

BlogBusiness Processes

With a name that, alone, suggests it’s something no enterprise should want to keep, Dark Data is often a misunderstood presence in company servers. In fact, despite its ominous name, it is actually a highly-valuable asset, and storing Dark Data and...

Read more

Get in touch

Ireland
53 Park West Road
Dublin 12, D12 F8RK
T: +353 (0)1 438 0200

Connect with us

TwitterYouTubeInstagramLinkedInFacebookVimeo

  • Privacy Statement
  • Terms And Conditions
  • Sitemap

© Copyright 2025 Kefron. All Rights Reserved

Please confirm your country

  • Ireland
  • United Kingdom
  • United States
  • Rest of the World

Confirm

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies.

Cookie Settings Accept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept