Of late, there’s been a lot of noise around the term, GDPR. Chances are, some of us even had to go through learning sessions targeted at IT professionals to learn about what this new standard of data protection means. GDPR is primarily a European privacy law which sets a new bar, globally, on privacy rights, compliance, and security. GDPR is mainly about protecting the rights of every individual, providing the individual with more control over his personal data. It dictates how data should be handled, managed and protected going forward, the individual’s choice being the prime focus.
Today, data is widespread; many corporations handle part of the data on the cloud and part of it on premises. Our focus being SQL Server, we shall talk about what capabilities Microsoft gives us in order to be compliant with these laws that come into effect on the 25th of May, 2018. We would have to modify our data handling procedures keeping the focus on the security of the data processing.
There are several built-in security capabilities in SQL Server to help in reducing risk and an overall improvement in managing data at the database level or otherwise.
Now that we have a basic idea on GDPR, let’s now dive a little deeper. Here are a few points to keep in mind:
- Discover: Identify which data is of personal nature, and technical details about it such as its location and the mode of storage.
- Manage: Classify the data access needs and decide the governance model accordingly.
- Protect: set up security controls to prevent vulnerabilities and also detect and respond to data breaches.
- Report: Document and manage data requests, and provide notifications in case of breaches.
Following are the features in SQL Server that support GDPR compliance:
- Row-Level Security (RLS)
- Dynamic Data Masking (DDM)
- Transparent Data Encryption (TDE)
- Transport Layer Encryption (TLS)
- SQL Server Audit
- Temporal Tables
- Always Encrypted (AE)
- Authentication
- Azure vault
- Azure Active Directory
- SQL Threat detection
GDPR can be further classified into several categories as follow:
- Encryption
- Pseudonymous data
- Configuring Always Encryption in SQL Server
- Dynamic Data Masking (DDM)
- Data access, authorization and limitation
- Row-Level Security (to be discussed in detail in this article)
- TDE
- Azure Active Directory
- Always Encrypted
- Assessment, reporting and notification
- SQL Server Audit
- SQL Threat Detection
Further reading
Wrapping up
In this article, we walked through the filter and block predicates. We went step by step to provide the required access to users and also, isolate the data operations from various users. This feature greatly simplifies the data security design and helps go closer to implementing GDPR, by enabling us to manage the application access model effectively.