How the GDPR will impact your software delivery processes
About Redgate 230 17 202,000 2m Redgaters and counting years old customers SQL Server Central and Simple Talk users 91% of the Fortune 100 use our tools 4m website visits each year 1058 product releases last year 68 User Groups sponsored last year
Your Presenter Richard Macaskill Product Manager richard.macaskill@red-gate.com @datamacas
Disclaimer This is NOT legal advice No legal review has been undertaken of this material I am not a lawyer!
We will discuss The principles of data protection Understanding GDPR jargon Steps to consider to ensure compliance building your defensible position under GDPR An introduction to Redgate s Data Privacy and Protection Solution
History
Data Breaches are the New Normal 1800 1600 1579 1400 1200 1093 1000 800 600 400 447 614 783 781 200 0 169 179 92 86 17 37 2012 2013 2014 2015 2016 2017 Data Breaches Millions of Records Exposed Source: Identity Theft Resource Center
The General Data Protection Regulation REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) 50,000 word Document
The General Data Protection Regulation The Biggest Legislative Change The Data Industry has Ever Seen There s a lot in the GDPR you ll recognise from the current law but make no mistake, this one s a game changer for everyone Elizabeth Denham, UK Information Commissioner, 17 Jan 2017
The global scope of the GDPR Non-EU organisations will be subject to the GDPR where they process personal data about EU citizens in connection with: The offering of goods or services (payment is not required); or monitoring their behaviour within the EU
What about the U.S.?
GDPR as blueprint Japan: Act on the Protection of Personal Information (GDPR copy) Australia: Privacy Amendment (Notifiable Data Breaches) Bill 2016 UK (post Brexit): Data Protection Bill (GDRP copy) US: NIST Special Publication 800-53 State regulations
Key Changes Increased Territorial Scope Consent Penalties 4% turnover or EUR 20 million, whichever is greater Such penalties shall be effective, proportionate and dissuasive
Roles Controller Processor Data Subject
Categories. Privacy of what? Not all data is private Before GDPR even becomes law, you ll be expected to have audited your data and identified the two categories of personal data that require special handling Standard personal data Special personal data By implication, other and data not yet classified?
Personal data breaches can include: Access by an unauthorised third party Deliberate or accidental action (or inaction) by a controller or processor Sending out personal data to an incorrect recipient Computing devices containing personal data being lost or stolen Alteration of personal data without permission Loss of availability of personal data
Data subjects rights Right to be informed Right to access Right to rectification Right to be erasure Right to restrict processing Right to data portability Right to object Rights in relation to automated decision making and profiling.
The principles of GDPR are the principles of good data protection
1) Lawful, fair and transparent Data shall be processed lawfully, fairly and in a transparent manner in relation to individuals What makes processing lawful and transparent?
2) Purpose Limitation Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes How is the data you collect used?
3) Data Minimisation Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed More data = more risk
4) Data Accuracy Data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay Are you making decisions based on inaccurate data?
5) Storage Limitation Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
6) Integrity and Confidentiality Data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures What are appropriate technical measures?
Understanding GDPR jargon
Data Protection by Design and by Default A general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities Do it early, not as an afterthought
Appropriate Technical Measures Documentation Encryption, pseudonymization, anonymization Oversight of protection Change Control Procedures for out-of-process change
Documentation
Pseudonymization vs Anonymization The principles of data protection should therefore not apply to anonymous information, that is [...] data rendered anonymous in such a way that the data subject is not or no longer identifiable
Most organizations do copy-down live data https://assets.red-gate.com/products/dba/sql-clone/sql-server-database-provisioning-report.pdf
Consented vs non-consented processing
Data Protection Impact Assessment (DPIA) A description of the envisaged processing operations and the purposes of the processing An assessment of the necessity and proportionality of the processing operations An assessment of the risks to the rights and freedoms of the data subjects concerned The measures which will be put in place to address those risks and demonstrate compliance
Data Protection Impact Assessment Is it necessary? 9 criteria; Evaluation or scoring e.g. consulting an AML or fraud prevention database Automated decision taking leading to legal or similarly significant effects Systematic monitoring in publicly accessible areas Processing of sensitive or highly personal data (communications data, location data, financial data) Large scale Matching databases Vulnerable data subjects where there is an imbalance of power children, employees, patients, the elderly Innovative uses of technology the example given is that IoT applications may require a DPIA Processing which could exclude individuals from using a service or contract, or from exercising a right. ARTICLE 29 DATA PROTECTION WORKING PARTY October 2017 revision http://ec.europa.eu/newsroom/document.cfm?doc_id=44137
Data Protection Impact Assessment In practice, this means that controllers must continuously assess the risks created by their processing activities in order to identify when a type of processing is likely to result in a high risk to the rights and freedoms of natural persons ARTICLE 29 DATA PROTECTION WORKING PARTY October 2017 revision http://ec.europa.eu/newsroom/document.cfm?doc_id=44137
Subject access requests in relation to; Right to be informed Right to access Right to rectification Right to be erasure Right to restrict processing Right to data portability Right to object Rights in relation to automated decision making and profiling.
Breach notification We have an assessment process We know who is the relevant supervisory authority We have a notification process (within 72 hours of becoming aware of it) We know what information we must give the ICO We have a process to inform affected individuals (if high risk) We know we must inform affected individuals without undue delay. We know what information to provide to individuals We document all breaches
Accountability The controller shall be responsible for, and be able to demonstrate, compliance with the principles 39 of the 99 GDPR Articles require evidence to demonstrate compliance
Demonstrating Compliance In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default
Steps to consider in ensuring compliance 1. Where is your data? 2. What exactly is your data? 3. Who is accessing your data, and for what purpose? 4. How can you demonstrate adequate protection?
How will GDPR impact your software delivery?
The best compliance is deterministic It s not that you did the right thing It s that the right thing is ALWAYS done The use of data should be driven by the consent given and the processing policies agreed to. Behaviours of its use is then driven by its classification.
Redgate s Data Privacy and Protection Solution
What customers get from our solution Redgate helps you protect your business by providing a scalable, and repeatable process for managing personally-identifiable information as it moves through your SQL Server estate. Our solution maps a customer s SQL data estate, then monitors and controls it for protection appropriate to the sensitivity of the data, ensuring compliance during data handling.
1. Discover Save time mapping SQL Server estate, from production servers to copies for development and test Gain insight into where databases live, what data they contain, and who has access to it Tools for the job Provides a window into your SQL Server Estate Auto-discover SQL Servers in your domains See who has access to what, and their permission level
2. Classify Remove the guesswork in understanding which tables or columns contain sensitive data for compliance Give data context by assigning descriptive labels aligned to Microsoft taxonomy The foundation to apply the right security levels to data as it moves around SQL Server estate Tools for the job Label servers, databases, tables, columns to tag which contain PII Using taxonomy aligned to Microsoft: personal, nonpersonal, and special
3. Protect Safeguard against data breaches and unauthorized access by masking and encrypting sensitive data Automatically apply masking rules when provisioning new databases, or refreshing development and test environments with production data Ensure your business critical data is safe by always backing up your SQL Server databases Tools for the job Replace sensitive data with anonymized, yet realistic data Repeatable, transparent, and auditable process for provisioning Protect against accidental loss of user data, database corruption or hardware failures
4. Monitor Prove compliance through ongoing tracking, management and reporting of your data protection policy Be alerted to incidents affecting the ability to restore the availability and access to personal data in a timely manner Tools for the job Automatically generate reports mapping SQL Server estate Track changes with snapshots and receive notifications to e-mail Check user access permissions for servers containing PII Monitor the availability of servers and databases containing PII
Some suggestions Involve the whole organization Start work on your data map(s) Review your oversight of the data estate Review your SDLC Consider re-tooling Practise! (data breach response, DPIA) Show your work! (decisions taken, risk assessments)
and keep learning! What is your defensible position under GDPR? The landscape is changing and case law will soon be here. Regulators websites (e.g. https://ico.org.uk) Industry discussion (e.g. https://www.red-gate.com/hub) Meetups (e.g. https://www.meetup.com)
Question and Answer Session
Need help? Contact Us: sales@red-gate.com richard.macaskill@red-gate.com Discover Redgate s Full Solution Data Privacy and Protection www.red-gate.com/solutions/data-privacy-protection SQL Data Privacy Suite www.red-gate.com/products/dba/sql-data-privacy-suite