Documentation for GDPR best practices for partially masking email addresses

There is no official guidance because this is not a GDPR enforced requirement. GDPR does not regulate specific security measures beyond making recommendations about what you should consider. Since you consider doing something like that, you in theory should do a Data Protection Impact Assessment to identify levels of risk may be associated with your situation and then decide on how to proceed.

Generally, using [email protected] turned into u******[email protected] is perfectly fine for most cases, since the domain name does not identify a person. However, if your specific intent is to also protect domain names (which is a thing again determinable by doing a Data Protection Impact Assessment), then you could extend the protection to a format covering also the domain: u******e@p******r.com .


GDPR is more restrictive than the US definition of PII, in which, non-PII that allow any inference to the identities is also under GDPR jurisdiction.

I doubt given masking examples will withstand GDPR audit. Replace the email address with an obvious placeholder (e.g. [email protected]), that is what everyone is doing.

Partial masking is weak in privacy, e.g. s****@provider.com can easily infer to [email protected] if smith is the only name start with character 's' using @provider.com address.

Even domain masking is not enough since a hidden mapping of a domain name can be created to reverse matching the masked domain name, e.g. p***r.*** map to provider.com.

This also extends to other conditions such as gender, age. It is not difficult to identify it is 35 years old Smith, when the data storing the ****@p*****.*** next to age and gender, which there is only one 35 years old Smith inside the database.

Tags:

Gdpr

Pii