SAP Commissions – PII Data/Field Masking
Protecting Personal Identifiable Information
What is PII?
Personally Identifiable Information (PII), is any data that can be used used to identify an individual such as names, Birthdate, driver’s license number, SSNs, bank account numbers, passport numbers, email addresses, and more
“Encryption is the process of converting data to an unrecognizable or “encrypted” form. It is commonly used to protect sensitive information
I would guess there are multiple definitions and not the one and only! I would not say that encryption is wrong in this context, but “data anonymization” would be the better wording here.
PII Example :
Let’s start data anonymization for PII fields
TAXID & SALARY fields are PII. Customer can mask their field value through UPDATE SQL Statement as shown below ENCRYPTED_TAXID
- Must have Database privileges for UPDATE Statements or
- Share your tested SQL script to Contact Technical Service Team for masking the field.
Additional references :
Dear Yogananda Muthaiah thanks for your efforts regarding PII masking in SAP Comissions. Please let me correct you. Your proposed concept is data obfuscation which in a best scenario yields to pseudonymization but not anonymization. But pseudonymization does not work this way on the actual attributes in your example. In fact the obfuscation can reverse engineered easily by everybody who can insert tax ids into the system, even without knowing the obfuscation string or the actual implementation.
What you actually want to do is data masking. When applying data masking no information or only a group but not individual identifiable part of the information is presented to the user. For example only the two first and last digits of the tax id and anything else masked for example by the asteriks ‘*’ symbol.
To all SAP Commissions customer: I advise to not consider this an appropriate solution for GDPR compliant PII anonymization.
Hi Marco Hammel
Thanks for reading!
In my above article, it’s described for PII Masking Example for fields to make scrubbing in the database, so once its masked customer or entities cannot see the original value of the PII fields.
Yes, you’re right, in case of a credit card or account number field value, the customer can scrub those (***) or ( –ABC–) to mask the field value.
Also once the field is updated, it cannot be reversed or decrypt the field attributes.
“Pseudonymisation is not the same as anonymization.”
In general, GDPR Anonymization Process is bigger in terms of the subject to Data Protection but it’s just an additional reference been pointed out.
Let me know your thoughts...