I am really not sure how many times I have been asked about GDPR Compliance in the recent months. You must bookmark this page and share with your organizations if you are doing business with European Union or firm based out of European Union.
It is quite often to see the email in mailbox with the following title –
How to Make SQL Server GDPR Compliance?
Honestly, the question should be not to make SQL Server GDPR Compliance but making our business practice GDPR Compliance. SQL Server is just a tool which helps us build our application. With that said, I do understand what user is asking when they ask the question above.
A Brief About GDPR
On May 25, 2018, European privacy law is going to enforce new global standards for privacy rights, security, and compliance. This new regulation enforcing the privacy rights of individuals is known as GDPR – General Data Protection Regulations. GDPR gives rights to individuals to access their personal data as well as request to remove all the traces of their data. Under GDPR organizations have stringent standards to follow the regarding how the data is stored and processed.
Everything about General Data Protection Regulations (GDPR)
Before I wrote this blog post, it was vital for me to research what GDPR is and how to implement it. After searching and studying on this subjecting, I realize that if one wants to learn everything about GDPR, they should review this website: http://www.privacy-regulation.eu/en/index.htm. It has all the articles arranged in a useful manner. You can go to any chapter and read relevant chapter related to regulations. There are 99 Articles organized into 11 Chapters. Trust me it is a mammoth task to read entire regulations. It took me over 5 days to just study every single article and its implications.
Technically, you have to read all the 99 articles and 11 chapters, but if you are a data professional, you can just read following chapters which are related to SQL Server.
I have also listed SQL Server Features which are related to that Article which we can implement to comply with the GDPR article.
GDPR Article 25 – Data protection by design and default
Here are you are responsible for controlling who has access to your personal data and how the data is processed, stored and accessed in the future. This also requires implementing various safeguards to manage the stored data.
SQL Server Features
- Use Authentication in SQL Server (Windows and Mixed Mode)
- Azure Active Directory Authentication
- Object Level Permissions
- Role-Based Security
- Firewall (Azure SQL Database)
- Dynamic Data Masking
GDPR Article 30 – Records of processing activities
Here you have to have a proper audit of all the records, and the personal data is processed in your application.
SQL Server Features
- Auditing (Azure SQL Database)
- SQL Server Audit
GDPR Article 32 – Security of processing
Here it is required that data is encrypted and pseudonymise. Additionally, there should be a robust and transparent process to restore the data and test the security.
SQL Server Features
- Row Level Security (RLS)
- Transport Layer Security (TLS)
- Transparent Data Encryption (TDE)
- Always Encrypted
- SQL Server AlwaysOn
- Point-in-Time Restore (Azure SQL Database)
- Long-term Retention (Azure SQL Database)
- Active Geo-Replication (Azure SQL Database)
GDPR Article 33 – Notification of a personal data breach to the supervisory authority
Here you will have to have an audit record of all the processes related to personal data.
SQL Server Features
- SQL Database Threat Detection
GDPR Article 35 – Data protection impact assessment
Here you will be responsible for documenting all the data protection methodology with their need and impact. Organizations are required to analyze their risk and document along with demonstrations their compliance with GDPR.
SQL Server Features
- SQL Server Audit
- Temporal Tables
Now we have articles list necessary to make SQL Server GDPR compliant. Our next task is to map the existing features of SQL Server with these articles. I will write about that in the next part of this blog post.
Next Action – Jump Start GDPR
I will be in future writing many different blog post explaining how one can rapidly change their SQL Server to complete with SQL Server. Please subscribe here to stay in touch: https://go.sqlauthority.com
If you want my expert opinion about how your organization can jump start with GDPR, you can additionally hire me for one hours consultation.
Here is what we will discuss during our one hour:
- Various features of SQL Server and practicality of their implementation
- How your backup strategy needs to change to accommodate new GDPR compliance
- Performance impact of multiple features implemented
- Next Steps for GDPR
- Curated Resource Guide of Key Important Links for GDPRÂ
Send me an email at Pinal @ sqlauthority.com for online Jump Start GDPR Workshop.
Reference:Â Pinal Dave (https://blog.sqlauthority.com)