GDPR - General Data Protection Regulation
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue based. The General Data Protection Regulation covers all companies that deal with the data of EU citizens, so it is a critical regulation for corporate compliance officers at banks, insurers, and other financial companies.
GDPR - Configurable Flagging of Sensitive Data Fields
OIPA allows users to configure classification of data as personal or sensitive data. There is a configuration in OIPA to identify sensitive data fields and support masking to these fixed fields.
Data Sensitivity Categorization for PII
Protected Personal Information (PII) includes the following list of data:
- Name (if accompanied with another identifier)
- Home Address (if accompanied with another identifier)
- NRIC Number (Tax ID)
- Cell Phone Number
- Personal email address
- Name and residential address (combination)
- Name and residential telephone number (combination)
Note: Certain items in the above list are considered to be PII only if they are accompanied with another identifier, and that is because more than one person could use the listed identifier.
The following data elements in ROE spreadsheet is classified as protected personal information as such or in combination with another data element and hence should be masked. Additionally, an Organization Business Identification number field is also added to data protection list. Refer the below list for details:
| PII | Mask | OIPA Field |
|---|---|---|
| IssueAge | ** | Y |
| InsuredName | ********* | Y |
| InsuredDateOfBirth | **/**/**** | Y |
| BeneficiaryName | ********* | Y |
| BeneficiaryDateOfBirth |
dd/mm/**** mm/dd/**** ****/mm/dd |
Y |
| Gender | **** | Y |
| FirstName | ****** | Y |
| LastName | ****** | Y |
| FullName | ********* | Y - In configuration |
| DateOfBirth |
dd/mm/**** mm/dd/**** ****/mm/dd |
Y |
| TaxID | ********* | Y |
| BLDGNAME | ********* | N |
| FLATNO | ********* | N |
| STREET | ********* | Y - In configuration |
| POSTALCODE | ********* | Y |
| CITY | ********* | Y |
| COUNTRYCODE | ********* | Y |
| ADDRESSLINE1 | ********* | Y |
| ADDRESSLINE2 | ********* | Y |
| ADDRESSLINE3 | ********* | Y |
| ADDRESSLINE4 | ********* | Y |
| EmailAddress | ********* | Y |
Configured Code Tables
| Code Name | Code | System | Value | Definition |
|---|---|---|---|---|
| AsCodeMaskSecurityLevel | 00 | Y | Default | A default mask to be used for PII Fields |
| AsCodePIIField | 01 | Y | IssueAge | |
| AsCodePIIField | 02 | Y | FirstName | |
| AsCodePIIField | 03 | Y | LastName | |
| AsCodePIIField | 04 | Y | DateOfBirth | |
| AsCodePIIField | 05 | Y | TaxId | |
| AsCodePIIField | 06 | Y | AddressLine1 | |
| AsCodePIIField | 07 | Y | AddressLine2 | |
| AsCodePIIField | 08 | Y | AddressLine3 | |
| AsCodePIIField | 09 | Y | AddressLine4 | |
| AsCodePIIField | 10 | Y | City | |
| AsCodePIIField | 11 | Y | StateCode | |
| AsCodePIIField | 12 | Y | CountryCode | |
| AsCodePIIField | 13 | Y | ||
| AsCodePIIField | 14 | Y | PhoneNumber | |
| AsCodePIIField | 15 | Y | FaxNumber | |
| AsCodePIIField | 16 | Y | PolicyNumber |
PII Masking
To support the GDPR enhancement, the current MASKING configuration can be used.
- Dynamic fields can be configured based on the customers requirements and no new code is required.
- Fixed fields that have been identified as Protected Personal Information (PII) fields, are masked using a default mask defined in AsMaskingDetail. A new value is added to the code values for Masking level of '00' - Default, to be used in AsMaskDetail table. This identifies if the value is to be used for the PIIField. It can be used in the changes to the palette to support PII masking. For PII fields, if no masking is defined, then the default value will be used.
Also, masking is extended for the following OIPA screens:
- Activity Result.(Math Section)
- Requirement Result
- Dashboard Widgets
- History Screens
- Entity Summary screens
For History and Entity Summary screens, no screen rule exists. Since History page does not have a screen rule, security controls are applied on history page itself. History pages are included in all screens. In OIPA, History pages will read the appropriate configuration and security levels for masked fields.
Editing Masking Details
The new column added in the AsMaskingDetail table can be edited from the Masks under the Administration Node.
Navigate to Admin Explorer -> Administration -> Masks -> right click and select 'New Mask Detail'.
The PIIField drop down is populated with new code values from AsCode for AsCodePIIField. Edit the details, and click Finish.
Note: When a default value for Level is entered, an associated PIIField will be selected.
Validations
The following actions or validations are added in the Rules Palette.
Deleting a Mask record linked to PIIField with System indicator Y
Palette will not allow deleting this record. Mask Security Level cannot be removed from the AsMaskDetail table since it is linked to system PIIField.
Default Masking Settings
There are default masking settings for the PII fields setup in the Masking table, these will be used if no masking is defined in any screen that uses that data.
The fields can be masked by setting the masking by running the following SQL which changes the default masking for the PII fields to being masked.
UPDATE AsMaskDetail SET OutputFormat = ' *******' WHERE MaskSecurityLevelCode = '00'
To turn masking for the PII fields back off run
UPDATE AsMaskDetail SET OutputFormat = '$1' WHERE MaskSecurityLevelCode = '00'
The Default settings for PII fields can also be edited through the rule palette.
