Test data compliance

Get GDPR, PCI and HIPAA compliant

When you use (a copy of) production data in your QA environments, this data needs to be compliant with data protection legislation and other data privacy regulations. GDPR, PCI and HIPAA are and example of such regulations. While everyone actually knows this, in many cases laws and regulations are not yet complied with. A shame, because you take unnecessary risks using privacy sensitive data for QA purposes.

What is your main challenge?

I need to comply with privacy regulations

If your data contains Personally Identifiable Information (PII) you need to make sure it is compliant with privacy regulations.

To become compliant with regulations like GDPR, PCI and HIPAA, you need to anonymize the data in your lower environments. With the help of data masking and synthetic data generation you create data that is safe to use for testing and development purposes.

I have too little data insight

Gain knowlege of your database and be aware of what’s inside of it. It may contain sensitive data and if that’s the case, you want to know where it’s stored.

If you don’t know where Personally Identifiable Information (PII) is stored, you are not able to mask the database properly. You need insight into your data to build a masking template and become compliant with privacy regulations like GDPR, PCI and HIPAA.

My data auditability needs improvement

Show everyone you’re taking data privacy seriously. Be in control of your masking efforts and mask your data whenever you want.

Not having control over your test data environments costs a lot of time and money. Start managing, monitoring and automating test data from one TDM portal. Get notifications about the runs and download the audit report to prove your masking efforts.

What is GDPR, PCI and HIPAA

General Data Protection Regulation (GDPR)

Representing the European Union laws, the GDPR protects the rights of European citizens. According to the GDPR, personal data is any information relating to an identified or identifiable natural person. This personal data has to be protected and therefore there are laws (GDPR) and standards (PCI DSS and HIPAA) for companies to adhere to.

Payment Card Industry Data Security Standard (PCI DSS)

The PCI DSS (in short PCI) is not a law – it’s a standard required by the credit card companies. The PCI aims to help businesses process card payments securely and reduce card fraud. To achieve this it implies strict security controls for storing, transmitting and processing cardholder’s data. The primary goal of implementing PCI is to protect the cardholder information. That also includes the personal information as defined by the GDPR (source: logsentinel.com).

Health Insurance Portability and Accountability Act (HIPAA)

The HIPAA privacy rule regulates the use and disclosure of protected health information (PHI) in healthcare treatment, payment and operations held by so called covered entities (health plans, healtcare clearinghouses and healthcare providers) (source: tier3md.com). PHI is any demographic information that can be used to identify a patient. This includes name, date of birth, address, financial information, Social Security number, full facial photo, or insurance information. PHI only includes information gathered by a HIPAA-beholden entity (source: compliancy-group.com).


Differences and similarities

The key difference between GDPR and both PCI and HIPAA is the focus. Where the GDPR covers a large range of personal data, the PCI and HIPAA are more focused on one component. The GDPR protects all personal identifying data collected from anyone in the EU and ensures that personal data is not explointed, is deleted upon demand and is only used as long as the individual consents (source: ispartnersllc.com).


GDPR has a much broader scope of coverage than HIPAA. HIPAA’s main focus is on organizations and people that handle protected health information (PHI) in the United States. HIPAA is limited to PHI alone, while GDPR addresses all “sensitive personal data”, such as racial or ethic origin and religion. Healthcare providers already ensure the secure processing and handling of PHI under HIPAA, but under the GDPR this will need to be done with the active consent of any patient that is an EU resident. The big word here being “consent.” HIPAA doesn’t require active consent (source: blog.ipswitch.com).


PCI’s main focus is security and the protection of cardholder data; breaches, loss of data and identity theft for example. Only those uses that are part of the payment process are covered. The GDPR and PCI overlap on one type of data – the payment card data. If the cardholder is from the EU, then the GDPR would need to be complied with for all of these processes as well.

Data classification for GDPR, PCI & HIPAA Compliancy

Similarities of GDPR, PCI and HIPAA

The most obvious similarity of the GDPR, PCI and HIPAA is that all of them protect personal data.

Despite the differences in scale and scope of data collected, the GDPR, PCI and HIPAA often work together. PCI and HIPAA compliance can help you comply with the GDPR and the other way around.

Compliant with DATPROF Privacy

Data masking for GDPR compliance

Getting compliant to the GDPR means that personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures (source: gdpr-info.eu). This has a big impact on how you handle your test data.

We still come across organizations that use production data for testing and development purposes. However, giving testers and developers access to production data is far from ensuring appropriate security of the personal data. Using production data (with privacy sensitive data in it) for testing and development purposes increases the risk of accidental loss, destruction or damage. In short: you can’t use production data for testing and development purpose

Of course you want to test with data that is as production-like as possible to ensure high quality. DATPROF Privacy helps you to mask your privacy sensitive data and to replace your privacy sensitive data with synthetic test data. This way you can use production-like data, but without the privacy sensitive information in it.

Data masking for PCI DSS compliance

When you want to be PCI DSS compliant, you have to make sure that the cardholder’s data is protected. Actually, the approach for being PCI DSS compliant is the same as the approach for being GDPR compliant. You need to make sure that the cardholder’s data is not used for other than the intended purposes. That means no testing with cardholder’s personal data.

Using DATPROF Privacy you can mask the (privacy sensitive) cardholder’s data by creating a masking template with various masking rules and synthetic data generators. For example, you can generate synthetic credit card numbers, synthetic names and expiration dates. This way you ensure no privacy sensitive cardholder’s data is used for testing and development purposes, but you’re able to use production-like data.

How to get compliant by masking or generating test data

An extensive read on how to mask or synthetically generate test data to get compliant to privacy regulations.

Data masking for HIPAA compliance

As mentioned earlier, PHI is any demographic information that can be used to identify a patient or client of any organization which must be HIPAA compliant. Such information can for example be, names, geographical info, phone numbers, medical records, Health plan and many more.

Data masking is deigned to address data “at rest” in relational database management platforms e.g. Oracle, SQL Server. Or data could be masked in files like .csv and XML formats. Both solutions are defined as “static data maskers” because they either update the database in-situ or create a new copy of a file as output.

Data masking for HIPAA compliance

Download our free whitepaper about how to become HIPAA compliant.

Test data compliance tools

Discover & Learn

Discover your data and gain analytics of the data quality by profiling and analyzing your application databases.


Mask & Generate

Enable test teams with high quality masked production data and synthetically generated data for compliance.


Provision & Automate

Provide each team with the right test data using the self service portal or automate test data with the built-in API.


Book a meeting

Schedule a product demonstration with one of our TDM experts

Trial DATPROF Privacy

Full Platform Demo

45-minute session to discover the entire TDM platform with the help of a technical pre sales consultant.



What does GDPR mean?

General Data Protection Regulation. It is the primary law regulating how companies protect EU citizens’ (personal) data.

What does PCI DSS mean?

Payment Card Industry Data Security Standard. The PCI DSS (in short PCI) is not a law – it’s a standard required by credit card companies. The PCI aims to help businesses process card payments securely and reduce card fraud.

What does HIPAA mean?

Health Insurance Portability and Accountability Act. It regulates the use and disclosure of protected health information (PHI) in healthcare treatment, payment, and operations held by so-called covered entities (health plans, healthcare clearinghouses, and healthcare providers).

TDM Platform

The right test data in the right place at the right time. Masked, generated, subsetted, virtualized and automated at the push of a button.