Get GDPR, PCI and HIPAA compliant
How DATPROF Privacy helps you getting compliant to privacy laws and regulations
We are regularly asked if our software is GDPR, PCI and/or HIPAA compliant. You can interpret this question in two ways. The first is: is it safe to use the software? The second is: does the software help with getting compliant? The answer to both is: yes! Let’s explain.
When you use software within an environment that has to be compliant to privacy laws and regulations, the most important thing to consider is the architecture of the software implementation. DATPROF software can be included within the protected data domain of the customer, which makes it as safe and compliant as the environment in which it will be used.
DATPROF’s data masking software, DATPROF Privacy, can be used as a tool to comply with privacy laws and regulations. DATPROF Privacy helps you get GDPR, PCI and/or HIPAA compliant. Before we go into how you can use the tool for compliance, we first have to understand what these laws and rules mean and what the differences and similarities are between the different regulations.
What is GDPR, PCI and HIPAA
General Data Protection Regulation (GDPR)
Representing the European Union laws, the GDPR protects the rights of European citizens. According to the GDPR, personal data is any information relating to an identified or identifiable natural person. This personal data has to be protected and therefore there are laws (GDPR) and standards (PCI DSS and HIPAA) for companies to adhere to.
Payment Card Industry Data Security Standard (PCI DSS)
The PCI DSS (in short PCI) is not a law – it’s a standard required by the credit card companies. The PCI aims to help businesses process card payments securely and reduce card fraud. To achieve this it implies strict security controls for storing, transmitting and processing cardholder’s data. The primary goal of implementing PCI is to protect the cardholder information. That also includes the personal information as defined by the GDPR (source: logsentinel.com).
Health Insurance Portability and Accountability Act (HIPAA)
The HIPAA privacy rule regulates the use and disclosure of protected health information (PHI) in healthcare treatment, payment and operations held by so called covered entities (health plans, healtcare clearinghouses and healthcare providers) (source: tier3md.com). PHI is any demographic information that can be used to identify a patient. This includes name, date of birth, address, financial information, Social Security number, full facial photo, or insurance information. PHI only includes information gathered by a HIPAA-beholden entity (source: compliancy-group.com).
Differences and similarities
The key difference between GDPR and both PCI and HIPAA is the focus. Where the GDPR covers a large range of personal data, the PCI and HIPAA are more focused on one component. The GDPR protects all personal identifying data collected from anyone in the EU and ensures that personal data is not explointed, is deleted upon demand and is only used as long as the individual consents (source: ispartnersllc.com).
GDPR vs. HIPAA
GDPR has a much broader scope of coverage than HIPAA. HIPAA’s main focus is on organizations and people that handle protected health information (PHI) in the United States. HIPAA is limited to PHI alone, while GDPR addresses all “sensitive personal data”, such as racial or ethic origin and religion. Healthcare providers already ensure the secure processing and handling of PHI under HIPAA, but under the GDPR this will need to be done with the active consent of any patient that is an EU resident. The big word here being “consent.” HIPAA doesn’t require active consent (source: blog.ipswitch.com).
GDPR vs. PCI
PCI’s main focus is security and the protection of cardholder data; breaches, loss of data and identity theft for example. Only those uses that are part of the payment process are covered. The GDPR and PCI overlap on one type of data – the payment card data. If the cardholder is from the EU, then the GDPR would need to be complied with for all of these processes as well.
Similarities of GDPR, PCI and HIPAA
The most obvious similarity of the GDPR, PCI and HIPAA is that all of them protect personal data.
Despite the differences in scale and scope of data collected, the GDPR, PCI and HIPAA often work together. PCI and HIPAA compliance can help you comply with the GDPR and the other way around.
Compliant with DATPROF Privacy
Data masking for GDPR compliance
Getting compliant to the GDPR means that personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures (source: gdpr-info.eu). This has a big impact on how you handle your test data.
We still come across organizations that use production data for testing and development purposes. However, giving testers and developers access to production data is far from ensuring appropriate security of the personal data. Using production data (with privacy sensitive data in it) for testing and development purposes increases the risk of accidental loss, destruction or damage. In short: you can’t use production data for testing and development purpose
Of course you want to test with data that is as production-like as possible to ensure high quality. DATPROF Privacy helps you to mask your privacy sensitive data and to replace your privacy sensitive data with synthetic test data. This way you can use production-like data, but without the privacy sensitive information in it.
How to get compliant by masking or generating test data
An extensive read on how to mask or synthetically generate test data to get complaint to privacy regulations.
Data masking for PCI DSS compliance
When you want to be PCI DSS compliant, you have to make sure that the cardholder’s data is protected. Actually, the approach for being PCI DSS compliant is the same as the approach for being GDPR compliant. You need to make sure that the cardholder’s data is not used for other than the intended purposes. That means no testing with cardholder’s personal data.
Using DATPROF Privacy you can mask the (privacy sensitive) cardholder’s data by creating a masking template with various masking rules and synthetic data generators. For example, you can generate synthetic credit card numbers, synthetic names and expiration dates. This way you ensure no privacy sensitive cardholder’s data is used for testing and development purposes, but you’re able to use production-like data.
Data masking for HIPAA compliance
As mentioned earlier, PHI is any demographic information that can be used to identify a patient or client of any organization which must be HIPAA compliant. Such information can for example be, names, geographical info, phone numbers, medical records, Health plan and many more.
Data masking is deigned to address data “at rest” in relational database management platforms e.g. Oracle, SQL Server. Or data could be masked in files like .csv and XML formats. Both solutions are defined as “static data maskers” because they either update the database in-situ or create a new copy of a file as output.
Data Masking for HIPAA compliance
Download our free whitepaper about how to become HIPAA compliant.
Supporting the leading database technologies
Data masking for HIPAA compliance
Download the free whitepaper