The clock is ticking, and worldwide efforts to comply with GDPR are well underway. The extensive set of regulations for the protection of EU citizens’ personal data will take effect in May 2018, approximately two years after it was penned by the European Parliament and the council of the European Union.
Its relevance resonates strongly in the wake of the multiple leaks and breaches of personal data across the globe in 2017, most notable among them the Equifax catastrophe that exposed 145 million Americans to potential identity theft.
Some Background
GDPR regulations apply not only to EU countries (including the UK, Brexit or not), but to any organization worldwide that collects or manages the personal identifiable information (PII) of EU citizens. The definition of PII is extensive, and includes everything from full names to browser cookies.
How does GDPR affect database developers and DBAs? Are you ready for GDPR? >>
Casting such a wide net forces compliance on many organizations that wouldn’t otherwise consider themselves handlers of sensitive information, and the looming threat of steep penalties has organizations worldwide scrambling to meet the regulation’s stringent guidelines.
Non-compliant organizations could face fees as high as €20 million or 4% of their annual global revenue, whichever is greater; small and young businesses could easily be forced into bankruptcy. If Google, for example, were to be found non-compliant with GDPR, it would have to shell out nearly €3 billion. Yikes. (And good luck, Google; you certainly collect a lot of PII!)
The GDPR document itself is excruciatingly long and detailed, spanning 88 pages and 92 articles. The main topics it addresses are consent, how data is to be collected, handled, stored and managed, the rights EU citizens have to access this data and their right to be forgotten.
Some of the language is purposely left vague, such as multiple references to taking “reasonable” and “appropriate” measures to ensure privacy and security. What constitutes “reasonable” or “appropriate” in the eyes of the EU is up for interpretation and can potentially pose a disadvantage for organizations the EU chooses to audit.
Enforcing Database GDPR Compliance
Most databases, by nature, contain extensive amounts of what the EU considers PII; for that reason, anyone who comes in contact with these databases will fall under the GDPR’s definition of a “data processor”, who is responsible (and accountable!) for implementing and upholding compliance.
In this context, data processors can include developers, DBAs, QA engineers, release managers, DevOps engineers, and database architects, to name a few.
Well enforced policies for who can access and use data, as well as what tools are used to do so, are an important part of compliance. Organizations can meet the GDPR’s compliance demands by enforcing security measures, defining permissions and creating an audit trail for the database.
DBmaestro’s DevOps Platform helps enforce policy compliance in the database by enabling organizations to:
- Create and enforce roles. Without the proper authority, access is denied and changes cannot be made to database objects or structures.
- Determine and enforce organizational policy and prevent unauthorized and non-policy changes to the database.
- Produce a deep audit trail that outlines who did what, when they did it, and why it was done.
- Respond to attempts at unauthorized changes. While blocked, records of attempts of unauthorized changes are created and severe attempts can be flagged and alert notifications can be automatically issued.
Let’s take a closer look at how DBmaestro can help businesses achieve database GDPR compliance:
Roles and Permissions
With roles and permissions set in place in advance, DBmaestro’s DevOps Platform prevents unauthorized access. Any attempts by unauthorized parties to access or make changes to the database are denied, and a thorough history of such events is logged. Overseers can view who attempted to make changes and what DDL scripts failed due to insufficient permissions.
Alerts can be configured according to severity, to raise immediate attention to suspected malicious activity or breaches.
Loss and Alteration of Data
GDPR not only covers how PII is stored and secured, but also sets parameters for maintaining the integrity of the data. Serving this need, DBmaestro’s DevOps Platform incorporates a unique mechanism for drift prevention.
When changes are pushed from one environment to the other, DevOps Platform alerts the designated authority to configuration drift that might result from hotfixes or out-of-process changes. Drift detection prevents unintentional loss or alteration of your data and accidental changes to the way it’s processed.
Demonstrable Security Measures
In GDPR, the “controller” in an organization is defined as:
“… the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…”.
Article 24 of GDPR requires controllers to demonstrate the security measures put in place to ensure compliance. The roles and permissions implemented via DevOps Platform enable controllers to keep track of and demonstrate the organizational measures put in place for compliance.
Should an organization be audited by the EU for GDPR compliance, a detailed list of roles, as well as a complete audit of all activities and changes made in the database can be used as documentation of activity.
Check out our webinar recap on drift security. Everything you need to know is in the next article.
Time is Running Out
Your organization has likely been making strenuous efforts to meet GDPR standards in time. Make sure you’re employing the “reasonable” and “appropriate” measures to maximize the protection of your data and the PII under your care. There’s no question that it’s in your organization’s best interest to stay on the EU’s good side.
