GDPR and SQL Server
GDPR

To close the article series on GDPR and available features in each of the four database systems reviewed, I was made aware by a few acquaintances that a more clear mapping between the actual regulation text and the itentified tasks, along with the features available on each database system would be very helpful.

This is the purpose of this article and I hope it will be of help to everyone trying to map legal and regulatory texts with a previously identified task on any of our 4 previous posts, and the availability level of the required feature or tool to implement the GDPR recommendation.

 

 

GDPR article
/recital
DescriptionTask(s)SQL ServerOraclePostgresqlMysql / MariaDB
35... the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of Personal Data. A single assessment may address a set of similar processing operations that present similar high risks.Personal Data identification
Access, role and privilege analysis
Security configuration analysis
Built-in feature or toolExtra licenseBuilt-in feature or tool, 3rd-party open source toolBuilt-in feature or tool, , 3rd-party open source tool
84... where the processing operations are likely to result in a high risk for the rights and freedoms of individuals, the controller should be responsible for the carrying out of a data-protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk ...Personal Data identification
Access, role and privilege analysis
Security configuration analysis
Built-in feature or toolExtra licenseBuilt-in feature or tool, 3rd-party open source toolBuilt-in feature or tool, 3rd-party open source tool
6... 4.) Where the processing for another purpose than the one for which the data have been collected is not based on the data subject’s consent...the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the data are initially collected, take into account, inter alia:
4.e.) the existence of appropriate safeguards, which may include encryption or pseudonymization...
Encryption of data and data transfers
Anonymization/Pseudonymization of Personal Data
Built-in feature or toolExtra licenseBuilt-in feature or tool, 3rd-party open source toolBuilt-in feature or tool, 3rd-party open source tool, Commercial tool
32 the controller, and the processor shall implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk, including inter alia, as appropriate: (a) The pseudonymisation and encryption of personal data;Encryption of data and data transfers
Anonymization/Pseudonymization of Personal Data
Built-in feature or toolExtra licenseBuilt-in feature or tool, 3rd-party open source toolBuilt-in feature or tool, 3rd-party open source tool, Commercial tool
28The application of pseudonymisation to personal data can reduce the risks for the data subjects concerned and help controllers and processors meet their data protection obligations ...
83In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent to the processing and implement measures to mitigate those risks, such as encryption.Encryption of data and data transfersBuilt-in feature or toolExtra licenseBuilt-in feature or tool, 3rd-party open source toolBuilt-in feature or tool, 3rd-party open source tool
26... The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.Anonymization/pseudonymization of Personal DataBuilt-in feature or toolExtra licenseBuilt-in feature or tool, 3rd-party open source toolBuilt-in feature or tool, 3rd-party open source tool, Commercial tool
5Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation').Anonymization/pseudonymization of Personal DataBuilt-in feature or toolExtra licenseBuilt-in feature or tool, 3rd-party open source toolBuilt-in feature or tool, 3rd-party open source tool, Commercial tool
29... Processor and any person ... who has access to personal data, shall not process those data except on instructions from the controller...Personal Data access controlBuilt-in feature or toolExtra licenseBuilt-in feature or tool, 3rd-party open source toolBuilt-in feature or tool, 3rd-party open source tool
32... 4) The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller...Personal Data access controlBuilt-in feature or toolExtra licenseBuilt-in feature or tool, 3rd-party open source toolBuilt-in feature or tool, 3rd-party open source tool
64... The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.“Personal Data access controlBuilt-in feature or toolExtra licenseBuilt-in feature or tool, 3rd-party open source toolBuilt-in feature or tool, 3rd-party open source tool
30Each controller .... shall maintain a record of processing activities under its responsibility.Audit implementation and centralizationBuilt-in feature or toolExtra license / EEBuilt-in feature or tool, 3rd-party open source toolBuilt-in feature or tool, 3rd-party open source tool
33In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority ...Audit event notificationBuilt-in feature or tool with extra effortExtra license / EEBuilt-in feature or tool, 3rd-party open source tool, extra effort, Commercial log analyzerBuilt-in feature or tool, 3rd-party open source tool, extra effort, Commercial log analyzer
34When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.Audit event notificationBuilt-in feature or tool with extra effortExtra licenseBuilt-in feature or tool, 3rd-party open source tool, extra effort, Commercial log analyzerBuilt-in feature or tool, 3rd-party open source tool, extra effort, Commercial log analyzer

We observe than most, if not all features required to implement GDPR with Oracle require either the Enterprise Edition or additional licenses. This contrasts with Microsoft’s SQL Server 2016 Standard Edition which – since RC1 – makes available all of the features required to implement GDPR.

For the Open Source databases, there is a mix of available built-in features and third-party open source tools which covers most of the requirements, with the exception of audit monitoring and notification, which may require extra human effort or a commercial tool.

 

Organisational and architectural aspects of GDPR

A couple articles require a broader and deeper analysis and their implementation is more complex.

 

Article 25: Data Security By Design And By Default

The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

Article 32: Comprehensive Data Security Policy

In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

 

Alexis

Alexis is the founder of Aleph Technologies, a data infrastructure consulting and professional services provider based in Brussels, Belgium.

More Posts - Website

Follow Me:
TwitterLinkedIn