Publication Summary

Title	Data Masking Policy
Author(s)	Alessandro Cardinali
Issued by	CEO
Version doc. Review freq.	0.1 Yearly
Date of issue	December 11, 2023
Owner	Alessandro Cardinali
Document status	Draft – Final Draft - Final
Approval Date	n/a
Classification	Internal

Change Log

Version	Date	Author	Comments
0.1	December 11, 2023		First draft document
1.0	December 20, 2023

Contents

1 Introduction 8

2 Data masking policy 9

Introduction

In its everyday business operations Soon Technologies B.V. makes use of a variety of data about identifiable individuals (personally identifiable information, PII), including data about:

• Current, past and prospective employees

• Customers

• Users of its websites

• Subscribers

• Other stakeholders

In collecting and using this data, the organization is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect that data. This is especially true when PII is shared outside of the organization, and appropriate steps must be taken (in accordance with the basic principle of data minimization) to ensure that only those items of PII that are necessary for the purpose are provided. One of the ways to achieve this is to use data masking techniques, such as anonymization and pseudonymization.

The correct application of data masking techniques has the potential to provide a number of benefits, including:

• A reduction in the potential harm to PII principals in the event of a breach

• Lower risk to the organization, especially where PII has been effectively anonymized and is therefore no longer subject to privacy legislation

• Facilitating a “data protection by design” approach to privacy

• Allowing greater freedom to use information after it has been anonymized

• Fostering greater trust from interested parties that PII is being protected

The purpose of this policy is to set out the approach that Soon Technologies B.V. requires when such techniques are used, so that the effectiveness of privacy safeguards can be maximised.

This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Soon Technologies B.V. systems.

The following policies and procedures are relevant to this document:

• Privacy and Personal Data Protection Policy

• Records Retention and Protection Policy

• Data Masking Process

Data masking policy

The use of data masking techniques must at all times take account of Soon Technologies B.V.’s compliance obligations under relevant privacy legislation.

This policy applies in two main sets of circumstances:

1. Where PII that is held internally requires the application of data masking techniques in order to reduce risk

2. Where PII is to be provided to a third party and it is appropriate to apply data masking techniques to reduce the amount of PII to fit the intended purpose of the transfer

Note: This policy does not apply to the preparation of PII for release to the general public; in this case, specific guidance from top management must be sought as the requirements for effective data masking (such as anonymization) are typically more stringent, with a higher risk of re-identification.

The approach to data masking that will be taken in a particular instance will be tailored to the specific requirements and will be in line with best practice.

Techniques that may be used include:

• Suppression of attributes that are not needed for the purpose of the processing, such as the removal of specific columns in spreadsheets

• Removal of complete records that are not required for the purpose

• Masking of characters within data, for example account numbers as 1234xxxx

• Pseudonymization – replacing PII with a different piece of data that does not identify the PII principal, for example replacing a name with a number

• Replacing specific values with a range, for example an age of 26 with an age range of 20-30

• Aggregating records into ranges, for example the number of people within the age range 20-30

The use of each of these techniques (and other techniques where available) in a specific case will depend upon a firm understanding of how the data will be used, and not all of them will be appropriate in every case.

A risk-based approach will be used with regard to possible re-identification of PII, taking into account the sensitivity of the data and potential harm to the PII principal.

The involvement of a subject matter expert will be required in most cases to assess the risk of re-identification, for example by inferring someone’s identity from other available data.

Data masking techniques must be used in combination with supporting technical controls where possible. These may include restricting online access, allowing only query access to the data and limiting the number of recipients of the data.

The process used for data masking must be documented in each instance and kept securely, for audit purposes and in order to avoid its use in later re-identification.

Where techniques for pseudonymization are used, the associated mapping tables (which show the real data against the pseudonym) must be secured effectively as they provide the key to re-identification.

Records must be kept of PII that has been provided to third parties, with written agreements covering how the data may be used and the controls that are expected to be applied to it.