GDPR - General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue based. The General Data Protection Regulation covers all companies that deal with the data of EU citizens, so it is a critical regulation for corporate compliance officers at banks, insurers, and other financial companies.

GDPR - Configurable Flagging of Sensitive Data Fields

OIPA allows users to configure classification of data as personal or sensitive data. There is a configuration in OIPA to identify sensitive data fields and support masking to these fixed fields.

Data Sensitivity Categorization for PII

Protected Personal Information (PII) includes the following list of data:

  1. Name (if accompanied with another identifier)
  2. Home Address (if accompanied with another identifier)
  3. NRIC Number (Tax ID)
  4. Cell Phone Number
  5. Personal email address
  6. Name and residential address (combination)
  7. Name and residential telephone number (combination)

Note: Certain items in the above list are considered to be PII only if they are accompanied with another identifier, and that is because more than one person could use the listed identifier.

The following data elements in ROE spreadsheet is classified as protected personal information as such or in combination with another data element and hence should be masked. Additionally, an Organization Business Identification number field is also added to data protection list. Refer the below list for details:

PII Mask OIPA Field
IssueAge ** Y
InsuredName ********* Y
InsuredDateOfBirth **/**/**** Y
BeneficiaryName ********* Y
BeneficiaryDateOfBirth

dd/mm/****

mm/dd/****

****/mm/dd

Y
Gender **** Y
FirstName ****** Y
LastName ****** Y
FullName ********* Y - In configuration
DateOfBirth

dd/mm/****

mm/dd/****

****/mm/dd

Y
TaxID ********* Y
BLDGNAME ********* N
FLATNO ********* N
STREET ********* Y - In configuration
POSTALCODE ********* Y
CITY ********* Y
COUNTRYCODE ********* Y
ADDRESSLINE1 ********* Y
ADDRESSLINE2 ********* Y
ADDRESSLINE3 ********* Y
ADDRESSLINE4 ********* Y
EmailAddress ********* Y

Configured Code Tables

Code Name Code System Value Definition
AsCodeMaskSecurityLevel 00 Y Default A default mask to be used for PII Fields
AsCodePIIField 01 Y IssueAge  
AsCodePIIField 02 Y FirstName  
AsCodePIIField 03 Y LastName  
AsCodePIIField 04 Y DateOfBirth  
AsCodePIIField 05 Y TaxId  
AsCodePIIField 06 Y AddressLine1  
AsCodePIIField 07 Y AddressLine2  
AsCodePIIField 08 Y AddressLine3  
AsCodePIIField 09 Y AddressLine4  
AsCodePIIField 10 Y City  
AsCodePIIField 11 Y StateCode  
AsCodePIIField 12 Y CountryCode  
AsCodePIIField 13 Y Email  
AsCodePIIField 14 Y PhoneNumber  
AsCodePIIField 15 Y FaxNumber  
AsCodePIIField 16 Y PolicyNumber  

PII Masking

To support the GDPR enhancement, the current MASKING configuration can be used.

  • Dynamic fields can be configured based on the customers requirements and no new code is required.
  • Fixed fields that have been identified as Protected Personal Information (PII) fields, are masked using a default mask defined in AsMaskingDetail. A new value is added to the code values for Masking level of '00' - Default, to be used in AsMaskDetail table. This identifies if the value is to be used for the PIIField. It can be used in the changes to the palette to support PII masking. For PII fields, if no masking is defined, then the default value will be used.

Also, masking is extended for the following OIPA screens:

  1. Activity Result.(Math Section)
  2. Requirement Result
  3. Dashboard Widgets
  4. History Screens
  5. Entity Summary screens

For History and Entity Summary screens, no screen rule exists. Since History page does not have a screen rule, security controls are applied on history page itself. History pages are included in all screens. In OIPA, History pages will read the appropriate configuration and security levels for masked fields.

Editing Masking Details

The new column added in the AsMaskingDetail table can be edited from the Masks under the Administration Node.

Navigate to Admin Explorer -> Administration -> Masks -> right click and select 'New Mask Detail'.

RP_GDPR1

The PIIField drop down is populated with new code values from AsCode for AsCodePIIField. Edit the details, and click Finish.

Note: When a default value for Level is entered, an associated PIIField will be selected.

 

RP_GDPR2

 

Validations

The following actions or validations are added in the Rules Palette.

Deleting a Mask record linked to PIIField with System indicator Y

Palette will not allow deleting this record. Mask Security Level cannot be removed from the AsMaskDetail table since it is linked to system PIIField.

Default Masking Settings

There are default masking settings for the PII fields setup in the Masking table, these will be used if no masking is defined in any screen that uses that data.

The fields can be masked by setting the masking by running the following SQL which changes the default masking for the PII fields to being masked.

UPDATE AsMaskDetail SET OutputFormat = ' *******' WHERE MaskSecurityLevelCode = '00'

To turn masking for the PII fields back off run

UPDATE AsMaskDetail SET OutputFormat = '$1' WHERE MaskSecurityLevelCode = '00'

The Default settings for PII fields can also be edited through the rule palette.