In this post i would like to give a brief on upcoming GDPR and Microsoft suggestions to make SQL Servers compliant for the regulation.
The EU Global Data Protection Regulation (GDPR) is set to take effect on 25th May 2018. This includes the UK along with other European countries though UK is out of the EU union (BREXIT) it has committed to comply.
What is GDPR ?
The aim of GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.
It applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. It will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. This really has lot of emphasis on offshore companies which act on behalf EU companies processing the data.
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
Customer consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
A data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach.
Right to Access:
The controller shall provide a copy of the personal data, free of charge, in an electronic format.
Right to be Forgotten:
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
Privacy by Design:
The controller should implement appropriate technical and organisational measures in an effective way. In order to meet the requirements of this Regulation and protect the rights of data subjects.
Data Protection Officers:
DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale.
What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
SQL Server Compliance:
Microsoft has published a detailed whitepaper on how to address GDPR by a 4 step process as: Discover –> Manage –> Protect –> Report
Here is the link to the detailed pdf file.
Key point Microsoft suggests to be addressed:
- It is a recommended best practice to disable all features that are not in use to reduce the attack surface area. Example feature (but not limited to) : XP_CMDSHELL, CLR, Filestream, Cross DB Ownership Chaining, OLE AUTOMATION, External Scripts, Ad-hoc Distributed Queries, and disabling the Trustworthy bit.
- Use separate authentication for users and applications.
- Configure role-based security which provides flexibility to define permissions at a high level of granularity.
- For Azure SQL databases configure Azure SQL database firewall but setting the “allowed IP addresses”.
- Authentication in Azure SQL Database using Azure Active Directory.
- Configure Dynamic Data Masking (DDM) limits sensitive data exposure by masking the data to non-privileged users or applications which includes DBA’s. This is feature supported from SQL Server 2016.
- Row-Level Security (RLS) restricts access according to specific user entitlements. Displays only the rows that the user is supposed to see when executing query against a table. Again a feature supported from SQL Server 2016.
- It is a best practice to always use connections secured with Transport Layer Security (TLS).
- Use TDE and Always Encrypted wherever required to protect the data at rest and in transit.
- Configure appropriate SQL Auditing or follow the best practices suggested by Microsoft.
- Temporal Tables is another feature which can be configured for reporting purpose to identify state of data at a particular point in time.