Cover Image for SAP GDPR Compliance: Data Masking Vs Data Scrambling

A Typical Use-Case of Personal Data Protection in SAP Systems

Being GDPR the hot topic of the moment, everybody knows it.

Also, since lots of blogs and articles have been already written about it, to presenting something new and original is becoming harder and harder. Nevertheless, let me give it a try.

By the way, do you know which is the subtle difference between Data Masking and Data Scrambling applied to SAP systems?

According to Wikipedia:

Data masking (or data obfuscation) is the process of hiding original data with random characters or data.

On the other hand, Data scrambling can be interpreted as a sort of a permanent and irreversible masking which converts an original value into a newly defined value (usually by a random selection from a temporary mapping-lookup table).

An example can help clarify the concept better, to select the best SAP available solutions for GDPR compliance.

If you ever come across Spiderman, you’d find yourself in front of a typical Data Masking case. The mask that the superhero is wearing prevents Peter Parker’s identity to be unveiled.

Okay, everybody knows that Peter Parker is the high school student from Queens behind Spider-Man’s secret identity.

Anyhow – when Peter is in action as Spiderman – his identity stays well protected as nobody knows who is hidden behind the mask they see.

Translating this into SAP language, the following picture shows what is stored and saved in the Database and – on the other hand – what is seen by the End Users, after the activation of SAP Field masking (AKA SAP UI Masking):

And now, have you ever heard the story of the Joker, the fictional super-villain from Gotham City?

Yes, here you are in front of typical Data Scrambling scene.

The Joker has had various possible origin stories during his decades of appearances. The most common story involves him taking an acid bath at the chemical refinery, which bleaches his skin white, turns his hair green, and his lips bright red.

So, who was the Joker before the accident that turned him into the Joker?

The truest answer is: It’s nearly impossible to find out, and it doesn’t really matter.

The resulting disfigurement has eventually created a new personality (= a new data value), no longer linked to the original character.

You now recognise the difference between data masking and data scrambling, where this second option can be reflected in SAP like this:

It’s a matter of fact that the scrambling process is more invasive than the masking one.

Now the data is definitely changed at Database level, and we are no longer able to fetch the identity of the character who was behind the permanent Joker mask, before scrambling conversion occurred.

The main reason for applying either masking or scrambling to a data field is to protect data that is classified as personal identifiable data, personal sensitive data or commercially sensitive data, however the data must remain usable for the purposes of undertaking valid test cycles.

Usually, the Data masking option is more likely to be activated in SAP productive environments.

Data scrambling is mostly used in Test / Quality SAP systems, as part of a SAP TDMS data migration with scrambling scenario.

The new challenge for any IT manager is to result compliant with the new GDPR policies, and to ensure – at the very same time – that all scrambled data will look real and appear consistent.

In Inquaero we’ve developed a strategy for applying a P.I.I. Intelligent Mapping to scramble data.

This would make test personal data still meaningful and usable also for analytic and statistic purposes.

Privacy of the original personal information is ultimately granted.

If you are interested in how to apply the described scenarios to your SAP landscape, feel free to email us: info@inquaero.com