A Dynamic Data Masking solution from Affecto protects sensitive information for Santander’s banking customers without impacting existing databases or applications

For today’s enterprise, protection of personal, sensitive information has become an ever stricter regulatory requirement of the digital world. Santander Consumer Bank enlisted the help of Affecto to develop a dynamic data masking solution that protects customers’ privacy in compliance with existing as well as future regulations, and without impacting existing databases and applications.

– Characteristically, privacy regulation arrives quickly, makes demands requirements, and its rules are absolute, says Affecto solutions developer Espen Jorde.

– Only the bank’s employees who have a directly work-related need can be allowed access to personal customer information; For other employees anonymized information must replace sensitive data such as name, date of birth or zip code. The challenge is to provide authorized users with exactly the access they need to clients’ personal information and no more, no less.

Privacy regulations also define how long the bank may keep the data, and procedures for how stored information should be erased. For example, a Marketing department should be able to see only personal data for active customers, whereas the Risk department must take a longer-term view in their risk valuations and therefore need to see historic client data for a longer period of time.

In addition, certain individual customers of the bank may have special reasons and requirements for discretion, for example due to political position or celebrity status, for example by masking identifying information such as age or zip code in a report view.


Changing existing IT bank solutions is usually both costly and time-consuming; changing tried and trusted user applica-tions is also often usually undesirable. Instead, Santander Consumer Bank chose a solution based on the new Informatica Dynamic Data Masking platform.

– The solution developed by Affecto is placed as a layer of «rules» between the existing database and user applications. It provides fast and inexpensive implementation, meets the requirements of privacy and is easily adaptable to new regulation, for example when national regulations are extended to the rest of the EU, says Oddrunn Moen, Director Business Intelligence IT Nordic in Santander.

The solution enables logging of database queries, easily limited to personal data if so desired, to ensure that data are only retrieved for business purposes.


– The solution to Santander’s Data Masking challenge is to place a rule “engine” as a layer between the database and the user or application. This makes it easy for us to implement changes in the rules according to new needs or regulations without the need to change neither the database nor the reports, says Espen Jorde.

The better control the enterprise maintains over its data, the easier and quicker it is to implement dynamic data masking in its solutions. For Santander, the solution took only around four months to develop. Placing the solution as a layer between the databases and for example reporting applications, development time is significantly shorter than other alternatives.

– The challenge is to carry out a thorough data analysis, which is part of what Affecto has done in this project, says Oddrunn Moen, Director Business Intelligence IT Nordic, Santander.

Privacy legislation is in constant change, and we expect them to grow even stricter, says Espen Jorde. Informatica Dynamic Data Masking is the first tool we have used that solves these challenges without impacting databases or applications.