General Data Protection Regulation (GDPR) and data stored in SQL DBs

Forum Moderators: open

Message Too Old, No Replies

General Data Protection Regulation (GDPR) and data stored in SQL DBs

What are the obligations and what is considered secure?

Ralpharama

11:03 am on Feb 15, 2018 (gmt 0)

Given the looming General Data Protection Regulation (GDPR) as well as reviewing all our processing and such, I wonder about the data that we store that can't easily be deleted or pseudonymised. So assume I need to keep some databases which tables in that have email, first name, surname, to keep some old systems running and so the website doesn't break.

If I understand, as well as the other obligations under GDPR this data has to be stored securely. Does this mean I have to encrypt it? (not feasible!). We store this data in a SQL Database on an AWS EC2 Windows server instance and access to this is locked down fully.

So I suppose that's not considered secure enough - the fact that it's on an AWS instance? If that's the case then what would I need to do to be compliant in my db storage?

Thanks!

keyplyr

12:07 pm on Feb 15, 2018 (gmt 0)

Here's the GDPR FAQ [eugdpr.org]

Note also the links at the top of the page, e.g. the Regulation.

Ralpharama

12:29 pm on Feb 15, 2018 (gmt 0)

Thanks, I've read that, and half a dozen other people talking about this but I'm no further sure what I need to do with regards to my OP question!

Ralpharama

1:39 pm on Feb 15, 2018 (gmt 0)

Some analysis and opinions on the subject of encryption here:
[linkedin.com...]
[i-scoop.eu...]
[iapp.org...]

But these all talk in terms of processing and transmission of data, not the simple matter of storing data in a db on a server...

I was hoping someone would have some thoughts on the matter.

phranque

1:47 pm on Feb 15, 2018 (gmt 0)

this whitepaper from SANS institute would be a good place to start:

Preparing for Compliance with the General Data Protection Regulation (GDPR)
A Technology Guide for Security Practitioners
[sans.org...]

Ralpharama

1:58 pm on Feb 15, 2018 (gmt 0)

Thanks but that white paper has nothing on the subject regarding my OP. I know the text of the GDPR and understand it, but it is open to interpretation and isn't specific about, for example, my question. I was wondering is anyone had any thoughts on it personally? Or had taken any steps themselves? I have read dozen of articles and analysis and followed many, many links...

bhukkel

2:15 pm on Feb 15, 2018 (gmt 0)

Secure and encrypted are two different things. You can store all your data encrypted but if your decryption key is stored unprotected on the same server or on the same backup device it is not very secure.

At the end the law says you have to protect the data and its up to you how you do it.

Ralpharama

3:06 pm on Feb 15, 2018 (gmt 0)

@bhukkel yes indeed, one of the ways GDRP suggests you can make your data more secure is with encryption. As is pseudonymisation. For example:
"appropriate safeguards, which may include encryption" (P121 (4.e))
"including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data" (P160 (1a))
etc

I guess my point is that given that this comes into force with a recommendation of these as a way to make your data more secure, which you have a legal obligation to, then does 'doing nothing' with regards to your storage on data on a db server cover you?

There's a pretty strong case, if you are hacked and have personal data stolen, that having done nothing differently and not having implemented any of the suggestions, then you are liable? People are predicting test cases soon after the deadline...

phranque

4:07 pm on Feb 15, 2018 (gmt 0)

there are probably ISO standards that would address some of your questions.

it appears that GDPR is about the continuous process of analyzing and addressing risk.
"doing nothing" is the opposite of this.