Let's Talk Data Security

Ready for GDPR: Non-Production Data Security

Written by James Watson | Aug 9, 2017 3:21:23 PM

My previous post explains how with the use of Data Sync Manager (DSM) and EPI-USE Labs you can ensure that the Data held in your non-production environments is proportional to its use, and therefore more compliant with Article 5 of GDPR. Of course, being proportionate is not the only method required to prove your compliance with GDPR; you can also consider obfuscating sensitive data. EPI-USE Labs is ready to assist here too.

From my research, Article 89 of GDPR deals with data security; this is a far-reaching topic, and rather than moving into network and security again, I’d like to focus on the SAP data and landscape.

Remove or scramble sensitive data?

The simple way to reduce your risk on data security is to remove the sensitive data which is of concern. Of course, simply removing the full data would mean you no longer have production quality data to test against. Instead, I recommend scrambling the sensitive parts of the data model but leaving the integration as is. Data Secure™ is a product that was developed by EPI-USE Labs specifically to mask data in SAP non-production systems.

Data Secure - pre-built Integrity maps

Based on the Objects already defined within Data Sync Manager, Data Secure maintains pre-built Integrity maps which detail the required data integration points to consistently affect sensitive data. These Integrity maps have already been designed for the most commonly transformed and sensitive data areas. Just a few examples include:

  • Employee – personal details, salary, payroll results etc
  • Customer – Names, phone numbers and more
  • Business Partner – Names, phone numbers and so on
  • Vendor – Names, phone numbers etc
  • Addresses – Identifying the country of the address and ensuring a consistent Post/ZIP code is used.

As a customer using Data Secure, you would be able to choose which fields within each Object you wish to scramble and which you don’t, providing you the flexibility to obfuscate only the data needed to meet your requirements.

A bespoke solution

Of course each one of you will have Customisations and extensions applied, which we are not aware of in our “default” model. To address this, we also deliver Data Discovery as part of the solution. This allows the EPI-USE Labs consultant to identify through both Data Dictionary and Data level searches of the DB where a certain Data item is maintained. This can then easily be added to the Integrity map, ensuring all areas of the system are kept consistent.

As well as the “Out of the box” Data Secure solution, our Services team is able to consult with you and define extensions or new Integrity Maps as required. For each map and data item within that map, you have the ability to select one of the following actions to consistently occur:

  1. Clear the field entirely
  2. Apply a fixed value to all entries
  3. Randomise the entry
  4. Provide a mapping table for the conversion
  5. Apply a user exit with custom scrambling code as per your requirement.
System integration

Data Secure also provides an integration to your other SAP instances, via RFC, so you can scramble consistently between systems. As an example, if you have both SRM and ECC in your environment and you wish to scramble the Bank Details for your Vendor, Data Secure will interrogate both ECC and SRM and apply the same scrambled value to each.

Best practice - and GDPR compliance

Making sure your non-production systems are secure is not only good practice in general, it will become more important than ever with the GDPR coming into effect on 25 May 2018. By leveraging our unique IP, the EPI-USE Labs Services team is able to slice, refresh and scramble your non-productive environment. This allows you to work towards compliance to the non-production SAP data storage requirements of GDPR.


All of the items I’ve discussed so far have been in relation to managing your non-production environment. Of equal concern is addressing the Right to View, Change and Delete which comes into force with GDPR. In the next article, I will begin to describe how EPI-USE Labs can also assist with this.

If you want any further information please contact our GDPR specialist team at gdpr@labs.epiuse.com.