Any business which serves, or is served by, the EU market must meet General Data Protection Regulation (GDPR) database requirements. However, a shocking number of companies have yet to implement this compulsory measure, and some have already paid the price for neglecting GDPR database security. This is astonishing, considering the numerous tools and processes that can make the transition to a GDPR compliant database relatively painless.
GDPR Database Security Basics
GDPR includes various principles that must be evident in the way that companies handle any and all personal data (hereafter, “data”). An organization must place limits on the type of data it holds, and how long it stores it; data must be legally obtained and accurate; it must be stored securely in a GDPR compliant database and accessed only by approved individuals; and it must be organized and easily accessible.
From an operational point of view, GDPR requires numerous steps (simplified for length):
- Appointing a data protection officer
- Informing customers about implementation
- Ensuring privacy notices are up to date
- Designing a data breach plan
- Collecting, auditing, and analyzing existing data (and purging what’s extraneous)
- Storing all data inventory through a unified and secure system
- Checking that your system can track all data and accommodates GDPR rights
Do Ya Feel Lucky?
Wow. That’s a lot of steps to follow, and that equals expenses. In fact, the average Fortune 500 company pays $16 million to become ready for GDPR.
Of course, in light of the costs that most firms would prefer to minimize or totally avoid, the EU has decided that GDPR database security is definitely not optional. They have very clear penalties for non-compliance that go up to €20 million or 4% of annual turnover, whichever is higher. Oh, right – those penalties are per article, so if a firm violates multiple articles of the GDPR, they end up paying a lot more.
Still, a lot of companies must be feeling lucky, because, as of October 2019, almost 25% of them believe that they have a low level of GDPR readiness, according to a recent survey.
How‘s that Turning Out?
Not great, for many. According to the same survey, 46% of organizations responded that they experienced an average of two reportable data breaches after the commencement of GDPR. And, because GDPR requires firms to disclose such breaches within 72 hours of detection, there are definitely some red-faced executives and angry customers out there.
It’s interesting to note that, among the firms that have adopted the regulations, many feel as though implementation was easier than expected, except in one area – reporting data breaches. Experts explain that it was tough enough to conform to the old protocols, which (in the U.S.) allowed for weeks of time in which to announce a breach. Doing so within 72 hours is much more difficult, particularly for European companies, which tend to use internal IT staff to investigate incidents instead of external forensic vendors.
Moreover, beyond actual breaches, companies can be fined simply for not complying, and that has resulted in the disclosure of some pretty big names to date. So far, Google has been fined the largest amount, at €50 million. But even larger fines might be on the way, with Marriott International facing a €110 million judgment and British Airways looking at a €205 million fine (both cases pending). There’s even a website to track the excitement, and the lists of transgressors gets longer all the time.
Avoid a GDPR Database Security Nightmare
One way to interpret the steps of GDPR implementation is by classifying them according to the ability of an enterprise to execute them independently. For example, appointing a data protection officer is something that a firm must do on its own. In contrast, storing all data inventory in a unified and secure system can be outsourced to a significant degree, particularly for companies that don’t want a dedicated team for this function. In such a case, turning to an experienced third-party provider saves time and allows the company to benefit from the expertise of the provider.
DBmaestro provides a range of tools that enable enterprises to adopt GDPR database requirements with its Security & Governance product suite. DBmaestro prevents unauthorized access by allowing managers to set roles and permissions so that any prohibited attempts to access or change the database are denied and logged. To immediately notify management of any suspected malicious activity or breaches, alerts can be set according to level of severity.
When it comes to data storage and security, DBmaestro uses a drift prevention mechanism that notifies management when any code modifications carried out between environments, such as hotfixes or out-of-process changes, may cause configuration drift. In this way, DBmaestro prevents unintentional data loss and alteration, as well as any unauthorized changes to the way data is processed.
Finally, DBmaestro’s Security & Governance products enable controllers to demonstrate that their organization is running a GDPR compliant database. In case of audit, a detailed list of roles and a full record of database activities and changes—complete with detailed information about those making and attempting to make changes—will provide vital documentation.
