Static versus Dynamic Data Masking

Characteristics, pros and cons

Personally identifiable information needs to be protected. We all know that by now. It is laid down in various privacy rules and regulations like GDPR, PCI and HIPAA. But how do you make sure that the right data is protected the right way? Which data masking method fits your needs best? A difference is being made between static data masking and dynamic data masking. What do these methods look like, what are the characteristics, pros and cons?

dynamic vs static data masking

Static Data Masking (SDM)

Realistic, representative data is data that represents production which often is needed for software testing like functional testing and regression testing. In these cases generating synthetic data from scratch is a risk since it will not be truly representative of the production environment. What we need is static data masking to facilitate compliance with privacy rules and regulations like GDPR, PCI and HIPAA. Static data masking is replacing sensitive data by altering data at rest. It is used to provide high quality (realistic) data for development and testing of applications. Static data masking can be done using ETL-like solutions or tools that are capable of directly doing it inside the database.

A typical static data masking architecture looks like the following. You have only one full-size copy of each production database. It’s often called the “Golden copy”. We call it the “Test Data Master”. This is the one and only layer of the lower environment which will be subject to data privacy legislation such as GDPR and therefore requires data masking applied.

Test data architecture

This “Test Data Master” is typically made available as the source for all other lower environment deployments. As full size copies they can also be used by performance testers and BI developers who need the production volume level experience in read-only or select mode. Static data masking changes sensitive data in a realistic manner with the help of masking rules and synthetic data generation. The data is permanently replaced, which is an advantage in terms of privacy and protection.

Dynamic Data Masking (DDM)

Dynamic data masking is masking sensitive data in transit, or “on the fly”, leaving the original at-rest data intact and unaltered. It is used to hide certain data from a certain user. The data is not masked physically in the database; it is masked in the query result. The unmasked data will remain visible in the actual database. The downside of dynamic data masking is that stored procedures can’t be dynamically masked. Masking of stored procedures requires rewriting the query results, not the query itself.

Dynamic data masking is often used for production systems, building a masking layer on top of the existing data to prevent that certain roles/people see certain data, but the data inside is still the same.

dynamic data masking

Data masking with DATPROF

The DATPROF Suite contains a static data masking solution that is capable of directly masking/transforming/altering the data inside the database without extracting the data to an ETL platform. Firing queries onto the database, carrying out the masking template, the data doesn’t travel through the tooling which is very safe.

Try 14 days for free

datprof privacy

Mask privacy sensitive data and generate synthetic test data with DATPROF Privacy. Try 14 days for free. No credit card required.

Data Masking


Data Automation


Data Discovery