Implementation Of GDPR With SQL Server And Azure SQL Database

GDPR was launched to better the management and protection of the personal data of an average user. In an era when data breach news is heard every other day, GDPR has set the guideline which organizations in the EU and EEA are obliged to follow such that the long-time gap on the advocacy of the proper legislation to protect the data of the users has come into fruition. However, it isn’t easy to process the data and provide the level of security that GDPR guideline suggests for the individual organizations. Each organization needs to document the locations and identify the storage of the personal data and apply the GDPR. In cases for the early development stage of the systems, it might be easier to identify the business process and apply GDPR to it. However, it’s a complex task and numerous organizations look for a third party solution to manage and control the security protocols the GDPR suggests. Catering to this need, built-in mechanisms and tools are provided in Azure SQL Database which supports the system to be GDPR compliant. In this article, we dive deeper into various GDPR guideliness and prospective solutions that Azure provides.
 
Topics covered in this Article,
  • Brief about GDPR and its constituent articles
  • SQL Server / Azure Database GDPR Ready Features
  • SSMS: Data Discovery and Classification
  • Challenges

GDPR

 
General Data Protection Regulation (GPPR) is a regulation on privacy and data protection in the European Union which addresses personal data’s transfer across and outside European Union (EU) and European Economic Area (EEA). In May 2018, all EU started to implement a new General Data Protecting regulation to protect the right to private life as a universal human right, the right to have one’s personal data safeguarded as a distinct, standalone universal human right. It is a positive step for users which safeguard the data of the users but could be challenging for the vendors to design, develop and maintain the secure system.
 
There have been hundreds and thousands of data breaches over the years. Some of the data breaches and hacks has wiped out billions of data in some of the companies.
 
The following visualization from Data Breaches and Hacks shows the size of the impacts recorded by the data breaches annually.
 
 
Check out the  Have i been pwned website, to see if your email id or phone number has been risked due to the data breaches at various companies you have been a user at. 
 
 

GDPR Article 25 – Data Protection by Design and Default

 
This article of the GDPR states that the controller is supposed to take the necessary organizational and technical measures to ensure that by default the data of users is protected and are not made accessible without the consent of the individual. We can control about the access to the personal data of users and way the data is processed, stored and accessed in the future.
  • Use Authentication in SQL Server (Windows and Mixed Mode )
  • Azure Active Directory Authentication
  • Object Level Permissions
  • Role-Based Security
  • Firewall (Azure SQL Database)
  • Dynamic Data Masking
C# Corner is organizing a week-long virtual annual event - Azure Summit.
 
Check out the official website of the summit to register as an attendee or to be a speaker and share your knowledge with the community.
 

GDPR Article 30 – Records of processing activities

 
This article 30 states that each controller and the representative of the controller is supposed to maintain the records of all the processes and activities as their responsibility such as the purposes of the processes, any disclosure of personal data and so on.
 
It notes about the audit of all the records, and the personal data that is processed in the application.
  • Auditing (Azure SQL Database)
  • SQL Server Audit
 
If you want to dive deeper into GDPR and the solutions provided by Azure with hands one demo, watch this video by Microsoft MVP Jasmin Azemović.
 
 

GDPR Article 32 – Security of processing

 
Article 32 of GDPR directs the importance of all data security and processing with pseudonymization and encryption of the data of the users, regular testing, evaluation and assessing to measure the effectiveness to ensure the security of the data.
 
Data should be encrypted and pseudonymized. A few steps that are to be taken are as follows,
  • Row Level Security (RLS)
  • Trasport Layer Security (TLS)
  • Transparent Data Encryption (TDE)
  • Always Encrypted
  • SQL Server AlwaysOn
  • Point-in-Time Restore (Azure SQL Database)
  • Long-Term Retention (Azure SQL Database)
  • Active Geo-Replication(Azure SQL Database):
  • You can read more about Active Geo-Replication from our last article, Azure SQL Database: Business Continuity and Disaster Recovery
  • Anonymization or Pseudonymization: Pseudonymization refers the process of replacing the information on an individual in the data such that it can be used as a pseudonym to identify the person but at the same time won’t allow the individual to be identified directly. Anonymized on the other hand can be defined as the data when the individual cannot be identified.
Example of Pseudonymisation of Data,
 
Employee Name
Employee Number
Department
Original Data
Joe Smith
98765639
Defense
Pseudonymised Data
Emp 00001
XXXXXXXX
XXXXXXXX
 

GDPR Article 33 – Notification of a personal data breach to the supervisory authority

 
The Article 33 of GDPR focuses on the measures that need to be taken by the controller in case of data breach of the users and the necessary steps that need to be taken to eradicate the effects that can arise.
 
An audit record of all the processes related to personal data.
 
SQL Database Threat Detection (Azure SQL Database) can help with the compliancy for this guideline. 
 
 

GDPR Article 35 – Data protection impact assessment

 
The Article 35 of GDPR directs the need of the controller to seek advice from data protection officer when data protection impact assessment is carried out. Organizations are required to analyze their risk with various assessments.
 
Tools to be used,
  • SQL Server Audit
  • Temporal Tables

Data Discovery and Classification (SSMS)

 

SSMS: SQL Data Discovery and Classification

 
SQL Server Management Studio (SSMS) has a very interesting feature – Data Discovery and Classification, which enables us to carry out protection of our data with following features,
  • Discover sensitive data in your database with recommendations
  • Classify and label columns as holding sensitive data
  • Report classification and sensitive data held in your databases. 

Challenges

  • Requirements of the Regulation
    The regulations are so much in quantity that it becomes difficult to adapt to the multiple requirements of the GDPR.

  • Technicality
    The level of technical resources required to satisfy, implement and maintain the GDPR guidelines is painstaking for small businesses and even to growing ones as the technical issues can be complex.

  • The lack of technical procedures which is related to the technology
    It is extremely difficult to track down the procedures and optimize.

  • Data Protection Officer (DPO)
    DPO are individuals who independent experts in data protection. They monitor compliance for data protection of the organizations and advice on obligations and assessment under the GDPR guidelines.

Benefits of GDPR

  • Trust
    The organizations following GDPR guidelines develop a level of trust from their users.

  • Legal Clarity
    The organization becomes clear with the user/ client relationship and thus provides a safety net for the both sides.

  • Quality Risk Assessment
    GDPR helps organizations to improve their risk assessment due to which the organizations and companies can save themselves from huge reputation and monetary damage.

  • Improved Security Framework
    Organizations get this really high quality security amidst all of the data breaches happening worldwide by following the GDPR guidelines. GDPR when followed levels up the security for any company using it efficiently with the combination of regular system audits, monitoring and the caution of the employees of the organization.

Conclusion

 
Thus, we learned about what GDPR actually is, its various guidelines and prospective services in Azure which takes care of these guidelines which followed correctly will provide high security to the personal datas of the users. We also learnt about Pseudonymization, SSMS, the challenges to implement GDPR and also about its benefits.


Similar Articles