What is Data Masking?
Turkish: Veri Maskeleme
Data masking protects personal or sensitive production data in test, analytics, and support environments with hidden or fake values.
What is Data Masking?
Data masking changes real personal, financial, or commercially sensitive data so unauthorized people cannot read the original values. The goal is to preserve data shape and testing usefulness while hiding fields such as identity numbers, phone numbers, emails, card numbers, or salaries.
For example, if developers need a copy of a production database to debug an issue, customer names and contact details can be replaced with realistic but fake values. The application can still be tested without exposing personal data unnecessarily.
Types of Masking
Masking can be static or dynamic. Static masking transforms a copy of the data before it is moved into a test environment. Dynamic masking hides values at query time based on the user’s permissions.
Common techniques include:
- Replacing characters with asterisks or similar symbols
- Generating realistic synthetic values
- Shuffling or remapping field values
- Tokenizing the real value into a separate secure store
- Showing only part of the value, such as the last four card digits
Risk and Compliance
Masking is not a complete security strategy by itself; it should be combined with access control, encryption, audit logging, and retention policies. Poor masking can still allow re-identification when multiple fields are correlated.
In GDPR and KVKK contexts, test, reporting, and support workflows should minimize unnecessary access to personal data. Data masking is especially useful for outsourced teams, demo environments, and analytics work that does not require real identities.
Related Terms
GDPR regulates personal data processing for people in the EU and EEA, defining transparency duties, individual rights, and controller obligations.
KVKKKVKK is Turkey's Personal Data Protection Law, setting legal duties for how organizations process, store, and transfer personal data.