Sensitive data

Medallia Experience Cloud collects and maintains Sensitive data (also known Personally identifiable data, Personally identifiable information, or PII) of feedback respondents and users (company employees). This data includes, but is not limited to, name, email address, and phone number.

To help protect personal privacy and to comply with government regulations, including the European Union's General Data Protection Regulation (GDPR), the California Consumer Protection Act (CCPA), and others, Experience Cloud provides the ability to mask sensitive data from users without the proper authorization to see that data.

Sensitive data masking affects Experience Cloud features and content with comment fields, such as surveys, Medallia Social Feedback, Medallia for Digital, Medallia Conversations, Medallia Zingle, Medallia Speech, chat logs, case notes, and so on. When a feedback record is created in Experience Cloud, or when historical processing is run on existing records, sensitive data rules are applied to eligible comment fields. If these rules identify words or phrases, they are tagged as sensitive data, and are masked in reports and exports. For example:

Masked data in comments

The original, unmasked data remains in the Experience Cloud database. This means that other processing (such as that done by Medallia Text Analytics and Action Intelligence powered by Medallia Athena) can be performed without issue. This also means that users can search in reports for masked words. If you want to generate a list of all records with masked data, search for records with a PII regions flag (a_pii_regions_flag) field value of Yes.

Experience Cloud masks data according to rules you create. Each rule masks either a known Dictionary of words or a Pattern (Regular Expression or RegEx) of words that might appear in comment fields.

Important: When using RegEx to establish a pattern of words to be marked as sensitive, ensure that your expressions are compatible with RE2 and Go. For more information, see GitHub page for RE2 Syntax and Golang.

The Medallia Setup interface provides a less detailed method for masking data. For more information, contact your Medallia expert.

Support in reporting

Sensitive data is masked in the following reports and dashboard modules.

You can search for text that has been masked. The text remains masked in your search results.

When any part of a comment in a record includes text that is marked as sensitive data, the a_pii_regions field for that record is Yes. Use this field in filters to find records that include masked sensitive data.

When a new feedback record that includes a comment field marked to be scanned for sensitive data, that comment is fully masked until sensitive data processing has completed. Historical data that has not yet been processed includes a Sensitive Data Processing icon, as shown in the following image:

Masked sensitive data

Important: Enabling a field for sensitive data, or changing the settings for an existing field does not mask or change the mask of existing records. Always run a historical process task after creating or changing rules.

Roles with View Sensitive Data reporting permission can view, but not correct, data for fields marked as containing sensitive data, and roles with Edit Sensitive Data reporting permission can view and correct data for fields marked as containing sensitive data.

Note: If your company uses Text Analytics, note that terms identified as sensitive are not masked in the Keywords sections of reports that show verbatim comments, such as Responses Form and Responses Feed.

Native and translated languages

Sensitive data rules are applied to languages as specified by your Text Analytics configuration. For a language configured to be processed in its native language, sensitive data rules for that language are applied to the native text. For a language configured to have its translated text processed, sensitive data rules for that language are applied to the English text.