The clock is ticking, and worldwide efforts to comply with GDPR are well underway. The extensive set of regulations for the protection of EU citizens’ personal data will take effect in May 2018, approximately two years after it was penned by the European Parliament and the council of the European Union.
Its relevance resonates strongly in the wake of the multiple leaks and breaches of personal data across the globe in 2017, most notable among them the Equifax catastrophe that exposed 145 million Americans to potential identity theft.
GDPR regulations apply not only to EU countries (including the UK, Brexit or not), but to any organization worldwide that collects or manages the personal identifiable information (PII) of EU citizens. The definition of PII is extensive, and includes everything from full names to browser cookies.
Casting such a wide net forces compliance on many organizations that wouldn’t otherwise consider themselves handlers of sensitive information, and the looming threat of steep penalties has organizations worldwide scrambling to meet the regulation’s stringent guidelines.
Non-compliant organizations could face fees as high as €20 million or 4% of their annual global revenue, whichever is greater; small and young businesses could easily be forced into bankruptcy. If Google, for example, were to be found non-compliant with GDPR, it would have to shell out nearly €3 billion. Yikes. (And good luck, Google; you certainly collect a lot of PII!)
The GDPR document itself is excruciatingly long and detailed, spanning 88 pages and 92 articles. The main topics it addresses are consent, how data is to be collected, handled, stored and managed, the rights EU citizens have to access this data and their right to be forgotten.
Some of the language is purposely left vague, such as multiple references to taking “reasonable” and “appropriate” measures to ensure privacy and security. What constitutes “reasonable” or “appropriate” in the eyes of the EU is up for interpretation and can potentially pose a disadvantage for organizations the EU chooses to audit.
Most databases, by nature, contain extensive amounts of what the EU considers PII; for that reason, anyone who comes in contact with these databases will fall under the GDPR’s definition of a “data processor”, who is responsible (and accountable!) for implementing and upholding compliance.
In this context, data processors can include developers, DBAs, QA engineers, release managers, DevOps engineers, and database architects, to name a few.
Well enforced policies for who can access and use data, as well as what tools are used to do so, are an important part of compliance. Organizations can meet the GDPR’s compliance demands by enforcing security measures, defining permissions and creating an audit trail for the database.
Let’s take a closer look at how DBmaestro can help businesses achieve database GDPR compliance:
With roles and permissions set in place in advance, DBmaestro’s DevOps Platform prevents unauthorized access. Any attempts by unauthorized parties to access or make changes to the database are denied, and a thorough history of such events is logged. Overseers can view who attempted to make changes and what DDL scripts failed due to insufficient permissions.
Alerts can be configured according to severity, to raise immediate attention to suspected malicious activity or breaches.
GDPR not only covers how PII is stored and secured, but also sets parameters for maintaining the integrity of the data. Serving this need, DBmaestro’s DevOps Platform incorporates a unique mechanism for drift prevention.
When changes are pushed from one environment to the other, DevOps Platform alerts the designated authority to configuration drift that might result from hotfixes or out-of-process changes. Drift detection prevents unintentional loss or alteration of your data and accidental changes to the way it's processed.
In GDPR, the “controller” in an organization is defined as:
“… the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data...”.
Article 24 of GDPR requires controllers to demonstrate the security measures put in place to ensure compliance. The roles and permissions implemented via DevOps Platform enable controllers to keep track of and demonstrate the organizational measures put in place for compliance.
Should an organization be audited by the EU for GDPR compliance, a detailed list of roles, as well as a complete audit of all activities and changes made in the database can be used as documentation of activity.
Check out our webinar recap on drift security. Everything you need to know is in the next article.
Your organization has likely been making strenuous efforts to meet GDPR standards in time. Make sure you're employing the “reasonable” and “appropriate” measures to maximize the protection of your data and the PII under your care. There's no question that it's in your organization's best interest to stay on the EU's good side.