Insights empowering compliance

Make your DB GDPR-compliant

Helping you adjust your Oracle database assets to the strictest data protection regulation in the world
Store this in your database?
GDPR regulations require that you abide by the rules if you store PII (Personally Identifiable Information).
  • Names
    Names
  • E-mail addresses
    E-mail addresses
  • Location or coordinates
    Location or coordinates
  • Online identifiers
    Online identifiers
  • Health information
    Health information
  • Personal profile
    Personal profile
  • Income
    Income
  • Biometric data
    Biometric data
Glossary
Personally Identifiable Information
PII is any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual's identity and any other information that is linked or linkable to an individual (medical, educational, financial, and employment information).
Privacy Impact Assessments
PIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation. In other words, a PIA is a process for building and demonstrating compliance.
Data Protection Officer
The primary role of the data protection officer (DPO) is to ensure that her organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules. In the EU institutions and bodies, the applicable Data Protection Regulation (Regulation (EC) 45/2001) obliges them each to appoint a DPO.
Binding Corporate Rules
A a set of binding rules put in place to allow multinational companies and organisations to transfer personal data that they control from the EU to their affiliates outside the EU (but within the organisation.
A journey, not a destination
GDPR is not a one-time certification.
Classify
Identify what personal information you have (and do you really need from 25.05.18 onwards)
Locate
Scan your information assets, primarily databases, to discover, where the personal information resides
Protect
Establish security controls and governance to prevent, detect, respond and report vulnerabilities and data breaches
Monitor
Monitor and audit your data sources regularly to stay compliant and reduce risk
What it means for your database?
GDPR brings along some implications and complications for your DB environment.
Database objects
- Mask all tables containing PII
- Minimize requested PII
- Pseudonumize data sets
- Turn on encryption for affected tables
Databases
- Review granted user rights (also look for orphaned accounts)
- Separate duties, restrict privileged users access
- Enable audit trails and logging
- Regularly run vulnerability tests
- Review your backup/recovery strategy: you might need to delete and opt-out some PII-records from recovery
Servers
- Log and monitor suspicious and irregular user activity
- Set up instant alerts for access violations (you have 72 hrs to report)
- Review access policies, including physical access
- Run comprehensive database and environment reporting
Infrastructure
- Look for outside-EU connections
- Control data transfers outside of EU-area, check for rationale and compliance
Learn more
72
Hours to inform a regulator, once a breach is discovered.
20
mln EURO or 4% of company's worldwide turnover. A penalty for non-compliance.
13
Years and under. A parental consent is required for data collection.
Preflight checklist
Use professional DBA tools to expedite implementation of GDPR governance.
  • data protection by design
    Implement "data protection by design"
    Review your database to make sure it's designed in a way that the data is securely and transparently collected and stored with no compromise on functionality.
  • Map PII to your database objects
    Map PII to your database objects
    Get a detailed report on your database structure and mark all the entities, containing PII. Make sure you have a clear understanding of their critical security parameters and related scripts.
  • Regularly check database security
    Regularly check database security
    Run comprehensive database self-audits regularly to stay aware of potential vulnerabilities. Fix the breaches, if any, before they get exposed.
  • Monitor vulnerabilities
    Monitor vulnerabilities
    Detect and clean up inefficient code or orphaned objects to reduce the risk of possible data leaks and improve overall system performance.
  • Ensure data portability
    Ensure data portability
    Individuals could request their data in a commonly used and machine-readable format. Make sure you can generate transparent and comprehensive cross-system exports.
  • Address PII-related requests
    Address PII-related requests
    Locate user- and employee-related PII in your database and get ready to address instantly their inquiries and "right to be forgotten" requests.
  • Facilitate security and data protection
    Facilitate security and data protection
    Encryption has been there since early days, but now get ready to pseudonymize a data set. In this case, "additional information" must be "kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable person."
  • Review your backups
    Review your backups
    The 'Right to be Forgotten' (RTBF) affects your backups as well. It obliges you to delete every individual-related information you could have. Specifically tricky are legacy applications with archived data, where to delete it, you need to restore it first.
  • Watch for cross-border data transfers
    Watch for cross-border data transfers
    You must have complete visibility into how scripts, packages or third-party applications could send the data outside of EU area. Generated data exports are becoming extremely vulnerable.