Data in the Digital Era
GDPR, the General Data Protection Regulation, is on everyone’s radar right now - and rightly so. Since 1998, the Data Protection Act (DPA) has served as the guideline for how information about living people may be legally used and handled within the UK. As the amount of digital information we create, capture and store has vastly increased, it’s of no surprise that these regulations are now to be replaced with new, fit-for-purpose rules termed “the most groundbreaking piece of EU legislation in the digital era”.
The scale of change from the DPA to GDPR is substantial, and it’s an understatement that its implementation will have significant consequences for all organisations from both an operational and financial perspective. Falling out of compliance with data regulations will cause organisations to incur increased fines from a theoretical maximum of £500,000 to an upper limit of €20 million or 4% of annual worldwide turnover - whichever is greater. With GDPR effective as of the 25th May 2018, there is still so much uncertainty and doubt about how to safeguard your business from these penalties.
Here at Xynomix, we are not specialists in GDPR. There are a growing number of firms claiming to help businesses prepare for the changes GDPR will bring, in return for a tidy sum for their expertise. On the other hand, we are specialists in all things database, whether that is Oracle Standard or Enterprise Edition, or Microsoft SQL. With over 20 seasoned technical consultants collectively amassing hundreds of years of experience, this is what we do - 24 hours a day, 365 days a year.
Our core services are all about the database and the infrastructure it sits on, whether this is traditional server/storage hardware on-premise, in the cloud, or in a hybrid set-up. We provide strategic consultancy, practical hands-on DBA on-site or remote services and support, and ongoing proactive managed support - whatever your requirements. In the past few months, we’ve seen a significant increase in the number of questions about GDPR, so we thought it might be useful to discuss our take on it, from a database perspective.
The Database Perspective
When it comes to compliance with GDPR at a database level, it’s important to emphasise that this does not just incorporate encryption. After all, how safe are the encryption keys? How are these managed? GDPR is a complete business obligation, and when it comes to the database, we can help. As experts in this field, we see so many different architected solutions - some better than others - but so many are not optimised or are over-engineered, unnecessarily costly, and do not actually provide the resilience you need to be compliant or think you have.
What we can do, is assess your entire solution architecture from the infrastructure to software. In this assessment, we can provide an system review of what you have, recommend changes that will optimise performance, support an effective patching policy, and ensure you have appropriate backup and DR strategies that are tested regularly to meet the needs of your business and your customer’s data. We can also ensure you only have the licenses you need, as over-engineered systems often result in unnecessary or insufficient licenses.
However, if you just want to blow away some of that fear, uncertainty and doubt, and know what options are available to you, then the following provides a brief outline of what to consider and how to best secure and encrypt your data effectively.
The 6th Principle
Whilst the DPA had eight guiding principles, GDPR has six - and it’s the sixth that is primarily of interest here: integrity and confidentiality. This requirement states that “data should be processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing, loss, damage or destruction, and kept safe and secure”, and means that you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised.
In particular, you will need to:
- design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach.
- be clear about who in your organisation is responsible for ensuring information security.
- make sure you have the right physical and technical security, backed up by robust policies and procedures, and reliable, well-trained staff.
- be ready to respond to any breach of security swiftly and effectively.
Securing data is becoming a very complex problem in the world, with more and more interconnected systems. No longer can security be seen as a bolt-on, or something to do later. It has to be a conscious effort by all parties in the information lifecycle: from design of systems and creation of data, to the retirement of systems and the disposal of data. Security has to be looked at holistically, as you are only as strong as the weakest link. As such, you must consider:
- Engagement with all parties about security
- Physical security
- Access controls to systems and data
- A robust removal process for accounts
- Robust auditing processes and policies
- Data transfers encrypt at source and in transit (disk and wire)
- Log files (error or processing logs) containing personal data
- Disposal of data assets, the deletion process & how physical disks are destroyed/wiped
- Patching security issues
- Data copies e.g. test and development or training
The Value of Data
What is the value of data, and the cost if lost? According to an article from the World Economic Forum:
“There is no standard practice or formula set in place to assess the value of data, but many more nations are becoming conscious of the enormous value data economy is creating. According to the European Commission, by 2020 the value of personalised data will be 1 trillion euros, almost 8% of the EU’s GDP. As this trend grows, there will be increasingly growing conflict between the value of data and individual privacy and consent...Recently, Equifax, a US based consumer credit reporting agency that collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide, suffered a data breach of 143 million users. As a result, they’re facing a class action lawsuit of up to $70 billion.”
Data is extremely valuable, and therefore needs to be treated as a financial asset within organisations, and if lost or breached, the costs in fines and business reputation massively outweigh any costs to secure it.
The Information Commissioner’s Office state that organisations should consider encryption alongside other technical and organisational measures, taking into account the benefits and risks that it can offer. Furthermore, they recommend that personal data should be stored in an encrypted form, to protect against unauthorised access or processing, especially if the loss of the personal data is reasonably likely to occur and would cause damage or distress to individuals. Many legal firms are also advocating that encryption within databases and storage should be considered as a mitigation against any fines, due to potential breaches.
So, what needs to be encrypted, and how do we do this? Organisations must identify the complete data flow from source to destination, and encrypt data in flight (i.e. over the wire or between systems over the Internet), at rest (i.e. on disks/storage and ideally in memory) and back-ups and archives of data. It’s also important to note that access controls and identity management are just as important as the encryption itself, as if everyone has access to the decryption keys the data is no more secure - controls and encryption must work together to mitigate any data leakages from organisations. As such, decryption keys need to be allocated on a needs basis and controlled, and organisations must identify who can see the data along the way, and limit access at each stage. They need to be maintained and updated on a regular basis to meet any business, regulatory and system changes. Don’t just set it and forget it!
Encryption also generates a number of additional issues to consider. Firstly, users or systems must have a decryption key so they can see the data without encryption, implying that keys need to be stored or located in multiple places. Furthermore, access to data using a decryption key is the same as not encrypting data, as it limits who can see the data but not does not stop it completely. Lastly, decryption keys, if lost, render the data almost impossible to decrypt, meaning that management of the keys is extremely important.
So what’s available for Oracle and SQL Server users? Oracle Advanced Security offers Transparent Data Encryption (TDE) and Data Redaction capabilities, keeping encrypted data secure and available throughout the data management lifecycle through a two-pronged approach. SQL Server users have access to a variety of encryption solutions depending on the age and edition of their system. This includes Cell Level Encryption, TDE, Encrypting File System and recently, in SQL Server 2016, Always Encrypted.
Whilst GDPR may sound daunting, it’s vital that your organisation gets on board with these new regulations. You need to understand the flow of data in, through, and out of your organisation, and consider who can see and decrypt the data, what is encrypted, where it is encrypted, and audit all access to data. Essentially, you need to treat data as a financial asset and protect it, if you want to avoid the massive GDPR penalties looming for non-compliant firms. If you're an ISV and want to provide a better architected solution for your customers, or just want to talk to someone about the underlying database your system sits on, please get in touch. We have a team of expert consultants able to assist.