Month: December 2019

Any business which serves, or is served by, the EU market must meet General Data Protection Regulation (GDPR) database requirements. However, a shocking number of companies have yet to implement this compulsory measure, and some have already paid the price for neglecting GDPR database security. This is astonishing, considering the numerous tools and processes that can make the transition to a GDPR compliant database relatively painless.

GDPR Database Security Basics

GDPR includes various principles that must be evident in the way that companies handle any and all personal data (hereafter, “data”). An organization must place limits on the type of data it holds, and how long it stores it; data must be legally obtained and accurate; it must be stored securely in a GDPR compliant database and accessed only by approved individuals; and it must be organized and easily accessible.

From an operational point of view, GDPR requires numerous steps (simplified for length):

• Appointing a data protection officer
• Informing customers about implementation
• Ensuring privacy notices are up to date
• Designing a data breach plan
• Collecting, auditing, and analyzing existing data (and purging what’s extraneous)
• Storing all data inventory through a unified and secure system
• Checking that your system can track all data and accommodates GDPR rights

Do Ya Feel Lucky?

Wow. That’s a lot of steps to follow, and that equals expenses. In fact, the average Fortune 500 company pays $16 million to become ready for GDPR.

Of course, in light of the costs that most firms would prefer to minimize or totally avoid, the EU has decided that GDPR database security is definitely not optional. They have very clear penalties for non-compliance that go up to €20 million or 4% of annual turnover, whichever is higher. Oh, right – those penalties are per article, so if a firm violates multiple articles of the GDPR, they end up paying a lot more.

Still, a lot of companies must be feeling lucky, because, as of October 2019, almost 25% of them believe that they have a low level of GDPR readiness, according to a recent survey.

How‘s that Turning Out?

Not great, for many. According to the same survey, 46% of organizations responded that they experienced an average of two reportable data breaches after the commencement of GDPR. And, because GDPR requires firms to disclose such breaches within 72 hours of detection, there are definitely some red-faced executives and angry customers out there.

It’s interesting to note that, among the firms that have adopted the regulations, many feel as though implementation was easier than expected, except in one area – reporting data breaches. Experts explain that it was tough enough to conform to the old protocols, which (in the U.S.) allowed for weeks of time in which to announce a breach. Doing so within 72 hours is much more difficult, particularly for European companies, which tend to use internal IT staff to investigate incidents instead of external forensic vendors.

Moreover, beyond actual breaches, companies can be fined simply for not complying, and that has resulted in the disclosure of some pretty big names to date. So far, Google has been fined the largest amount, at €50 million. But even larger fines might be on the way, with Marriott International facing a €110 million judgment and British Airways looking at a €205 million fine (both cases pending). There’s even a website to track the excitement, and the lists of transgressors gets longer all the time.

Avoid a GDPR Database Security Nightmare

One way to interpret the steps of GDPR implementation is by classifying them according to the ability of an enterprise to execute them independently. For example, appointing a data protection officer is something that a firm must do on its own. In contrast, storing all data inventory in a unified and secure system can be outsourced to a significant degree, particularly for companies that don’t want a dedicated team for this function. In such a case, turning to an experienced third-party provider saves time and allows the company to benefit from the expertise of the provider.

DBmaestro’s Database DevOps platform provides a range of tools that enable enterprises to adopt GDPR database requirements with its Security & Governance product suite. DBmaestro prevents unauthorized access by allowing managers to set roles and permissions so that any prohibited attempts to access or change the database are denied and logged. To immediately notify management of any suspected malicious activity or breaches, alerts can be set according to level of severity.

When it comes to data storage and security, DBmaestro uses a drift prevention mechanism that notifies management when any code modifications carried out between environments, such as hotfixes or out-of-process changes, may cause configuration drift. In this way, DBmaestro prevents unintentional data loss and alteration, as well as any unauthorized changes to the way data is processed.

Finally, DBmaestro’s Security & Governance products enable controllers to demonstrate that their organization is running a GDPR compliant database. In case of audit, a detailed list of roles and a full record of database activities and changes—complete with detailed information about those making and attempting to make changes—will provide vital documentation.

Any company involved in transactions related to the EU must fulfill its General Data Protection Regulation (GDPR). This encompasses many aspects of operations, including the implementation of GDPR compliant databases. Although many firms only see the downside of GDPR database requirements, with surprisingly large numbers of them yet to fully adopt proper measures, there are actual advantages to maintaining GDPR database security standards.

Enjoy Better Data Security

GDPR database requirements include strict controls regarding authorized access to critical data, which makes it more difficult for bad actors to penetrate systems through identity theft, hacked passwords, etc.

Reducing the chance of an intentional database breach can have huge benefits. When a breach occurs, systems are usually disabled until the penetration is identified and eliminated, which translates into expensive downtime. Moreover, the breach itself can result in data theft and criminal activity that causes direct financial harm. But such attacks can be tough to commit against an enterprise that runs a GDPR compliant database. Therefore, GDPR database requirements do more than protect consumers and corporate clients – they also protect companies with GDPR compliant databases.

Minimize Reputation Risk

Some data breaches cause demonstrable damage to clients, while many (such as those attributed to employee mistakes) don’t result in obvious harm – except when it comes to reputation. According to GDPR database security rules, breaches must be reported, and when existing and potential clients find out, it can be a disaster. The effects of a tarnished name are difficult to calculate, but at least being able to prove that you took all the right steps will minimize the ramifications.

Reduce Data Maintenance Costs

GDPR database requirements impose certain restrictions on data related applications and inventory. A GDPR compliant database must keep its data inventory and related software up to date because legacy applications, by nature, do not receive security updates. Eliminating redundant or inefficient data storage means reduced maintenance costs through data consolidation and the increased use of universal formats. Although the initial consolidation process will require resources, it will also result in long term savings.

Ease Adoption of New Technologies

The flipside of eliminating legacy data inventory software is the ability to adopt the most modern technology available while still maintaining a GDPR compliant database. Enterprises that are fully committed to current mainstays like cloud computing and IoT must also deal with the new security challenges that they pose. Luckily, various tools already exist to handle these challenges by monitoring log data and data transfers; administering network, device, and application file integrity; and by securing cloud-based operations. By adhering to GDPR database requirements, enterprises can facilitate the move to new technologies while reducing the security risks that they entail.

Improve Customer Focus

GDPR database security requires companies to purge client data that is redundant, obsolete, or trivial. In addition to eliminating storage costs for such data, this step also results in marketing resources that are probably more refined as the “dead wood” surrounding valuable customer data is cleared out. Moreover, GDPR necessitates that data be rendered globally searchable and indexed, so that customers can exercise their “right to be forgotten.” But organizing your customer data will also produce a more productive resource for your marketing people.

DBmaestro Delivers GDPR Benefits

DBmaestro can help firms make the transition to GDPR database requirements with its products for database security and governance. DBmaestro’s DevOps Platform helps establish a GDPR compliant database by enabling organizations to create and enforce roles, thereby denying access to anyone without the right security credentials and their potential ability to change database objects and structures. DBmaestro will also guide you in determining and enforcing organizational policy to prevent unauthorized and non-policy changes to the database. DBmaestro’s GDPR database security processes leave a deep audit trail that traces who did what, when they did it, and why it was done. Finally, if someone tries to penetrate your system or make unauthorized changes, DBmaestro records such attempts and can be configured to automatically issue flags and alert notifications.