DAT-016 Data Masking and Pseudonymisation
Description
Sensitive and personal data is masked, pseudonymised or tokenised in non-production environments, analytics workloads, support tooling and logs where exposure of real data is not required. Masking rules are defined per data classification. Re-identification controls prevent linking pseudonymised data back to individuals without authorisation.
Rationale
Using production personal data in non-production environments significantly expands the attack surface with no business necessity. Pseudonymisation in production reduces breach severity and can satisfy GDPR risk reduction requirements.
Framework Mappings (4)
| DSP-15 | Limitation of Production Data Use | full |
| DSP-17 | Sensitive Data Protection | partial |
| GDPR-Art.32.1 | Technical and Organisational Security Measures | partial |
| 8.11 | Data masking | full |
Evidence (2)
Non-production environment configuration or data masking tool settings confirming that production personal data is masked, pseudonymised or replaced with synthetic data.
Example: Data masking configuration export from Delphix / AWS Macie / custom masking scripts — showing transformation rules applied to personally identifiable fields (name, email, phone, national ID) when copying data to staging or dev environments, with sample before/after records redacted
Test: Review the non-production data configuration. Verify: (1) a masking or synthetic data process runs before any production data is copied to non-production, (2) masking rules cover all PII fields identified in the data classification (at minimum: name, email, DOB, national IDs), (3) re-identification from pseudonymised fields is not possible without a separately held key, (4) process is documented and tested.
Non-production data handling policy prohibiting use of real personal data in development, staging or test environments without documented exemption and masking controls.
Example: Non-Production Data Policy (Confluence), approved by DPO and CISO, defining: prohibition on real PII in non-prod, approved masking methods, exemption process (risk assessment + DPO approval), and audit obligations for any exempted use
Test: Request the non-production data handling policy. Verify: (1) explicitly prohibits use of unmasked production personal data in non-production environments, (2) defines an exception process requiring DPO approval, (3) specifies approved masking techniques, (4) approved within 24 months.
Questions (2)
Is sensitive and personal data masked, pseudonymised or replaced with synthetic data in non-production environments (development, staging, test) and in analytics, support tooling and logs?
Production personal data must not appear unmasked in non-production environments or in internal tooling unless there is a documented and DPO-approved exception with appropriate compensating controls.
What approach is used to protect personal data in non-production environments?
Automated masking or exclusive use of synthetic data are the strongest controls. Manual masking without automated enforcement is unreliable. Using production data in non-production environments with access-only controls is not an acceptable substitute for masking.