Data Protection

The importance of protecting sensitive data in databases

Thursday May 5, 2022
4 min read
Dynamics 365 Data Protection
Throughout the lifecycle of your MS Dynamics AX/365 Finance & Operations application, your organization's IT team needs to copy entire databases for the use of developers, testers, and business users. This implies that real production data are handled and they need to be duly protected.

Day-to-day data handling

Apart from business users who need real data in their everyday work, there are, for example, test engineers. They are more interested in the mechanics and internal processes rather than the real values of the data, so dummy data are sufficient in most of their work. The same goes for developers. These groups are interested in anonymized or pseudonymized data. Database anonymization – data anonymization and pseudonymization This means that a copy of an entire database is created and is then dumped to another – test or reference – environment. In other words, bulk anonymization/pseudonymization on non-production environments is executed for test and development purposes. And sometimes for business needs.

Business users in need of anonymized data

Business users such as, for instance, an accountant, may wish to perform a risky operation on a test or reference environment rather than production. In such a case, they want to make double sure the operation is safe before going live with real data. It is, in fact, a good practice to test complex financial operations on a test environment whenever an operation is performed for the first time, for example, when you are anonymizing all transactions older than five years, which is a standard period for data anonymization. There may be other business needs such as when a single client is made up of several separate entities who share the same Microsoft Dynamics AX application. The application has a global address book, which allows you to share contractor data, and all the legal entities of this single client have the same ID number. You need to anonymize the data from the global address book for just one legal entity in the group, but not anonymize other entities. Since anonymization is irreversible, it needs to be thoroughly tested first, to see whether everything goes according to plan.

Beyond GDPR, PII, and other legislature

So clearly, apart from legislature such as GDPR and PII, there may be business reasons for database anonymization. Normally, data may be shared on a needs-only basis, but this is not all. You may also wish to restrict access to transactions carried out by your company for the testing team or the total sales volume of the largest distributors to the development team. Though you are not legally obliged to this, it may be a wise decision for business reasons, so that unauthorized people do not access such data.

So sensitive – personal data

Personal Data Anonymization – personal data anonymization or pseudonymization – is performed on the production environment – the data are selective or personal: extremely specific, conditional, and individual. And sometimes you may be requested to remove anything your database contains pertaining to a particular person or a group of people, but not an entire database. This is performed on the production environment. So, for this reason, the operation needs to be performed with utmost diligence. It is not possible to merely remove a single record, table or several records or tables. This is because of the interdependencies across database tables. It is as if you started removing nuts and bolts from a machine. Eventually, it collapses. So, a table removed entirely or even a single record in one place may disrupt validations and database integrity.

The right to be forgotten

Anyone of us may request to have our data removed. This you can’t really do, I mean, technically the whole database would collapse as mentioned above. But you can have your data pseudonymized. This means the original values of the data may later be retrieved. This is when the data need to be hashed or masked, so that they are not legible on the production environment. The data are, however, stored elsewhere with limited access. They may need to be retrieved for a potential future audit by the fiscal authorities or for an internal emergency check.

Do it well

Whatever the need – business or legal – data protection is crucial in any organization. If you’re using tools for data anonymization or pseudonymization, you need to make sure the operations they’re used for are performed with utmost care and scrutiny so as not to damage database integrity and coherence. One of the tools tailor-made for Microsoft Dynamics 365 FSCM is the Data Protection Suite. DPS anonymizes and pseudonymizes data efficiently and securely. See for yourself. 

Check also our e-boook Automatic Database Personal Data Protection.   
CONTACT US

We are proficient in solving complex tasks and challenges.

Our goal is an efficient response to unique customer needs. Our field of expertise is the implementation and development of solutions tailored to the specifics of dispersed, multinational organizations. We will be happy to help your business.

Let’s talk!

If you would like to discuss your needs concerning Microsoft Dynamics 365 (FSCM), please fill in the form below.
Hey there! 👋 What brought you to our site today?_
1