Welcome to WebmasterWorld Guest from 54.224.83.221

Forum Moderators: open

General Data Protection Regulation (GDPR) and data stored in SQL DBs

What are the obligations and what is considered secure?

     
11:03 am on Feb 15, 2018 (gmt 0)

New User from FI 

joined:Feb 15, 2018
posts: 4
votes: 0


Given the looming General Data Protection Regulation (GDPR) as well as reviewing all our processing and such, I wonder about the data that we store that can't easily be deleted or pseudonymised. So assume I need to keep some databases which tables in that have email, first name, surname, to keep some old systems running and so the website doesn't break.

If I understand, as well as the other obligations under GDPR this data has to be stored securely. Does this mean I have to encrypt it? (not feasible!). We store this data in a SQL Database on an AWS EC2 Windows server instance and access to this is locked down fully.

So I suppose that's not considered secure enough - the fact that it's on an AWS instance? If that's the case then what would I need to do to be compliant in my db storage?

Thanks!
12:07 pm on Feb 15, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12083
votes: 770


Here's the GDPR FAQ [eugdpr.org]

Note also the links at the top of the page, e.g. the Regulation.
12:29 pm on Feb 15, 2018 (gmt 0)

New User from FI 

joined:Feb 15, 2018
posts: 4
votes: 0


Thanks, I've read that, and half a dozen other people talking about this but I'm no further sure what I need to do with regards to my OP question!
1:39 pm on Feb 15, 2018 (gmt 0)

New User from FI 

joined:Feb 15, 2018
posts: 4
votes: 0


Some analysis and opinions on the subject of encryption here:
[linkedin.com...]
[i-scoop.eu...]
[iapp.org...]

But these all talk in terms of processing and transmission of data, not the simple matter of storing data in a db on a server...

I was hoping someone would have some thoughts on the matter.
1:47 pm on Feb 15, 2018 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11388
votes: 157


this whitepaper from SANS institute would be a good place to start:

Preparing for Compliance with the General Data Protection Regulation (GDPR)
A Technology Guide for Security Practitioners

[sans.org...]
1:58 pm on Feb 15, 2018 (gmt 0)

New User from FI 

joined:Feb 15, 2018
posts: 4
votes: 0


Thanks but that white paper has nothing on the subject regarding my OP. I know the text of the GDPR and understand it, but it is open to interpretation and isn't specific about, for example, my question. I was wondering is anyone had any thoughts on it personally? Or had taken any steps themselves? I have read dozen of articles and analysis and followed many, many links...
2:15 pm on Feb 15, 2018 (gmt 0)

Full Member

5+ Year Member

joined:Aug 16, 2010
posts:251
votes: 20


Secure and encrypted are two different things. You can store all your data encrypted but if your decryption key is stored unprotected on the same server or on the same backup device it is not very secure.

At the end the law says you have to protect the data and its up to you how you do it.
3:06 pm on Feb 15, 2018 (gmt 0)

New User from FI 

joined:Feb 15, 2018
posts: 4
votes: 0


@bhukkel yes indeed, one of the ways GDRP suggests you can make your data more secure is with encryption. As is pseudonymisation. For example:
"appropriate safeguards, which may include encryption" (P121 (4.e))
"including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data" (P160 (1a))
etc

I guess my point is that given that this comes into force with a recommendation of these as a way to make your data more secure, which you have a legal obligation to, then does 'doing nothing' with regards to your storage on data on a db server cover you?

There's a pretty strong case, if you are hacked and have personal data stolen, that having done nothing differently and not having implemented any of the suggestions, then you are liable? People are predicting test cases soon after the deadline...
4:07 pm on Feb 15, 2018 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11388
votes: 157


there are probably ISO standards that would address some of your questions.

it appears that GDPR is about the continuous process of analyzing and addressing risk.
"doing nothing" is the opposite of this.