The GDPR (General Data Protection Regulations), introduced a year ago is a regulation in EU law on data protection and privacy for all individuals citizens of the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas., and carries potentially huge fines for non-compliance (4 per cent of annual worldwide turnover or nearly £20 million — whichever is higher). It’s sparking a fundamental rethink of security and compliance, and, as a database administrator (DBA), this can be a challenging change to understand and adapt to.
DBAs are finding themselves on the front lines of protecting data, which is impacting their other daily roles and responsibilities. Unless DBAs and their teams, working in partnership with a Data Protection Officer (DPO) take the time to understand sensitive data across their systems, their company can run the risk of being non-compliant, leaving them exposed to internal and external threat vectors and vulnerable to fines.
So, what do today’s DBA’s need to ask themselves to ensure the data they are responsible for is properly managed, secure, and not sensitive to threat vectors in light of evolving compliance requirements?
Here are five questions for DBAs to think about:
1. Do you know where your personal and sensitive data lives?
GDPR introduced a new concept called Privacy by Design that requires a fresh look at how businesses should design their systems, with data privacy as a priority. The first question to ask yourself to ensure your business is protected, is to find out where personal and sensitive data exists in your databases.
More importantly, make sure you know what constitutes personal and sensitive data to properly account for it. GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
In simple terms, personal data can range across a spectrum of data, and can include, but is not limited to:
- Biographical — date of birth, email address, phone number
- Physical — eye and hair colour, weight, height, gender
- Work — salary, tax
- Cultural — religion, political affiliation, leisure activities
- Health — medical history, genetic
“Sensitive personal data” has a specific meaning under GDPR, but you may have other “sensitive” data outside the scope of GDPR that also needs to be identified and protected such as financial and accounting records, purchasing contracts, etc.
If your business has customers and end users in the EU, make sure you know where your personal and sensitive data lives and that you’re defining it properly to be prepared for compliance.
2. Does your company have a dedicated Data Protection Officer?
GDPR is the most stringent data regulation to-date, and it specifies multiple roles, such as data controller, data processor, sub-processor and data subject, to ensure a company complies with all regulatory requirements.
Does your company have a dedicated “Data Protection Officer,” who’s role it is to act as an independent authority on GDPR and assist data controllers (who may be DBAs), data processors, etc? While the DPO role is only mandatory for certain organisations (unless you can demonstrate that you don’t require one), it may be helpful to at least identify who would be responsible for that task if and when it’s needed.
The DBA will need to work with the appointed DPO as they are tasked with identifying personal data in your systems and implementing the appropriate data protection measures.
3. Are your systems built for automation and with data security in mind?
GDPR mandates that data controllers perform data protection impact assessments when certain types of processing of personal data are likely to present a “high risk” to the data subject. Each assessment must include a systematic and extensive evaluation of the organisation’s processes and profiles, including how they safeguard the personal data.
As a DBA, data privacy and security risks should be a quickly growing concern for a few reasons:
- Enterprise databases likely contain personal and other sensitive data.
- Databases are a primary target for malicious actors attempting a data breach.
- Most regulations specifically prescribe methods and techniques that must be used for databases.
- The DBA is often primarily responsible for implementing compliance controls and technical measures for protecting data.
When you’re adjusting for GDPR and other data regulation requirements, it’s helpful to automate the process of discovering sensitive data in all your databases and having a tool or process or system running reports for you.
Your goal is to monitor that data in real time, and notify database developers of potential breaches before they deploy schema and code changes into production systems.
4. Are you equipped to prevent personal data breaches?
There are two main ways to protect personal data: pseudonymisation and anonymisation.
Pseudonymisation enhances privacy by replacing most identifying fields within a data record by one or more artificial identifiers, or pseudonyms. There can be one pseudonym for a collection of replaced fields or one pseudonym per replaced field.
Methods for pseudonymisation include encryption and masking. Encryption is typically used to protect data as it is moved and can be decrypted afterward with the right key. Masking (and redaction) are often used for data at rest, for example in a non-production database, where data still needs to be usable for testing, etc.
Anonymisation obscures personal data by masking it, for example. Once anonymised so that the individual is no longer identifiable, the data is safe, isn’t it? Not if the anonymisation process is reversible. If it can be reversed, it’s still personal data. The method of anonymisation needs to be irreversible for it to be truly anonymised; typically using masking or redaction.
Whichever approach you take, make sure your system is equipped with the best data protection features for the job.
5. Do you know how to monitor data for potential breaches — when data is constantly moving?
Traditionally, data has been stored in one place — the database — with backup copies on physical media. That media is usually in a different location from which it can be restored in the event of a data loss.
But in this era of data protection strategies that includes high availability (HA) and disaster recovery (DR) systems, data is continuously replicated to other locations and to the cloud (DBaaS or IaaS). That continuous movement makes it difficult to identify and protect personal data — especially as DevOps and cloud initiatives essentially function with continuous movement.
To combat this, it’s important to ask yourself: do you have monitoring tools in place for your HA, DR, cloud and DevOps systems?
With database activity monitoring and auditing tools, you can monitor and track important aspects of user behaviour including the following types of operations:
- DML — (Select, Insert, Update, Delete) where such data changes may involve the use of sensitive data
- DDL — structural changes to database objects
- DCL — changes to user access rights
- TCL — transaction control
With tools monitoring at those levels, you’ll have a better chance of detecting the potential for data to end up where you don’t want it — and even prevent that from happening at all.
Even if you think your business isn’t immediately impacted by GDPR, it’s informative to know it impacts the vast majority of companies if they handle any personal data of EU citizens.
Ultimately, the quicker you act on asking yourself the right questions, the quicker and more prepared you’ll be for maintaining business operations — while your competition scrambles to adapt.
John Pocknell, Senior Solutions Product Marketing Manager, Quest
Image source: Shutterstock/Wright Studio