eu gdpr and security compliance for the dba
play

EU GDPR and Security Compliance for the DBA Santa Clara, California - PowerPoint PPT Presentation

EU GDPR and Security Compliance for the DBA Santa Clara, California | April 23th 25th, 2018 Meet Your Presenters Tyler Duzan Jeff Sandstrom Product Manager for MySQL Product Manager for MongoDB Software at Percona Software at


  1. EU GDPR and Security Compliance for the DBA Santa Clara, California | April 23th – 25th, 2018

  2. Meet Your Presenters Tyler Duzan Jeff Sandstrom • Product Manager for MySQL • Product Manager for MongoDB Software at Percona Software at Percona • Prior to joining Percona was an • Jeff has been a Product Manager Operations Engineer for more for over ten years, first in the than twelve years contact center space, then enterprise voice, and now open • Background in security and source databases. He's a compliance, specifically PCI, business nerd who loves tech. HIPAA/HITECH, HITRUST, SOC, and FEDRAMP & FISMA. 2

  3. Disclaimer • We are not Attorneys, we are Product Managers • Nothing within this presentation should be construed as legal advice • You should consult with an attorney to understand and mitigate any compliance risk for your organization • This presentation is not all-inclusive, we are discussing specific selected Articles of the GDPR we think are especially relevant 3

  4. Outline 1. General Overview of Compliance 2. GDPR Key Terminology 3. EU GDPR Articles a DBA Should Know • Article Overview • Articles of Particular Interest to DBAs • Deep Dive into Article 17, Article 25, Article 32-35, and Article 44 4. How Does Percona Software Help to Solve This? 5. Open Questions for DBAs to Consider 6. Q&A 4

  5. General Overview of Compliance

  6. Compliance Objectives • Build a secure infrastructure and know where sensitive data resides • Implement consistent security and data-handling standards across the enterprise • Design and implement effective controls for access to sensitive data • Provide a pathway to audit the organization • Reduce risk to the organization from data breaches • Protect your customers and partners who have entrusted you • Protect shareholder value 6

  7. Why Compliance Matters to the DBA • Datastores across the enterprise may likely contain sensitive data • Databases are a primary target for malicious actors attempting a data breach • Most compliance regulations specifically prescribe methods and techniques that must be used for datastores • The DBA is often the primary responsible party for implementing compliance controls and technical measures for protecting data 7

  8. How Has Compliance Changed? • Compliance regulations began by targeting specific industry verticals such as healthcare, finance, and government. • The focus of early compliance was really on mitigating broad organizational risk, typically when handling data that had large financial risk implications or national security implications • Later compliance regulations began focusing on the safety of consumer data as technology became integral to our daily existence • Many of these regulations limited coverage to situations where the consumer might be directly financially impacted by a breach and where a clear and direct customer relationship existed 8

  9. How Has Compliance Changed? • Lately compliance regulations have shifted because of a shifting environment both in technology and economics. • Current compliance regulations must take into account the existence of cloud providers, the ubiquity of Software-as-a-Service (SaaS) applications for both businesses and consumers, and the rise of sophisticated attacks. • We now exist in a world where great harm can be caused at scale using data that was previously thought to be innocuous. Many of these are first of their kind attacks. • EU GDPR seeks to address many of these concerns by emphasizing that fundamental ownership of data resides with the person whom that data is about. 9

  10. GDPR Key Terminology

  11. Terminology • Data Controller • The entity that is determining the purposes and means of processing the data. - Example: A social media application collecting user information, a manufacturing company collecting personal data about employees, etc. • Data Processor • The entity that processes data on behalf of the Data Controller. - Example: A payroll company that is issuing paychecks for a manufacturing company’s employees, a cloud service provider storing personal data • Data Processing • Any automated or partially automated operation performed on personal data 11

  12. Terminology • Data Subject • A natural person whose personal data is processed by a Controller or Processor • Personal Data • Any information that can directly or indirectly identify the Data Subject - Examples: • Biometric data • Health data • Online identifiers • Geolocation data • PII (name, address, government ID number, etc) • Profiling • Any data processing intended to evaluate, analyze, or predict the behavior of a Data Subject 12

  13. GDPR Articles DBAs Should Know

  14. GDPR Articles Overview • Chapter 1: General Provisions • Chapter 5: Transfer of personal data to third countries of • Article 1-4 international organizations • Chapter 2: Principles • Article 44-50 • Article 5-11 • Chapter 6: Independent • Chapter 3: Rights of the Data Supervisory Authorities Subject • Article 51-59 • Article 12-23 • Chapter 7: Cooperation and • Chapter 4: Controller and Consistency Processor • Article 60-76 • Article 24-43 14

  15. GDPR Articles Overview • Chapter 8: Remedies, Liabilities, • Chapter 11: Final Provisions and Sanctions • Article 94-99 • Article 77-84 • Chapter 9: Provisions relating to specific data processing situations • Article 85-91 • Chapter 10: Delegates Acts and Implementing Acts • Article 92 & 93 15

  16. Articles of Particular Interest to DBAs • Article 17 • Article 32 • “the (…) controller shall have the • Security of data processing obligation to erase personal data • Article 33 & 34 without undue delay, especially in • Notification of a personal data relation to personal data which are breach to the supervisory authority collected when the data subject was a child, and the data subject shall • Communication of a personal data have the right to obtain from the breach to the data subject controller the erasure of personal • Article 35 data concerning him or her without undue delay.” • Data protection impact assessment • Article 25 • Article 44 • Data protection by design and by • General principles for transfers default 16

  17. General Areas of Concern in GDPR • Change Management • Data Discovery and Classification • Environmental Evaluation • Establishing Appropriate Internal Processes • Auditability • Internally defining ethical walls • Tracking location of data by user / Data Mapping 17

  18. Article 17 • Establishes a legislative structure which resides ownership of data with the Data Subject • Establishes the “Right to be Forgotten” as EU Law • “the (…) controller shall have the obligation to erase personal data without undue delay, especially in relation to personal data which are collected when the data subject was a child, and the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay”. • Expands deletion requirements to now include the obligation for the Data Controller to inform anyone else who has the Personal Data when a deletion request is received, extending to Data Processors or copies of that data 18

  19. Article 25 • Enshrines the concept of data protection by design and default • Requires that controls must be in place to ensure that • Personal Data cannot be attributed to an identified or identifiable Data Subject • Only the Personal Data necessary for a specific purpose can be processed • Only the Personal Data necessary for a specific purpose is collected • Data that is no longer needed should be deleted • Implies strongly specific technical requirements, which in some cases are defined elsewhere • Data minimization, data masking, data pseudonymization • Implementing strict ethical walls and access controls within your organization for seeing Personal Data • Utilizing best practice methods for protecting Personal Data when stored 19

  20. Article 32 • Requires both Data Controllers and Data Processors to implement certain technical and organizational measures • These measures help to prescribe how to handle the philosophical basis of EU GDPR • Technical examples • Encryption for data that is both “at rest” and “in motion” • Monitoring and auditing access to Personal Data • Data masking for applications which access Personal Data • Organizational examples • Maintaining data accessibility and planning for a response to a breach • Testing and evaluating the effectiveness of your controls • Auditability of your environment 20

  21. Article 33 and 34 • Establishes the requirements for informing regulators (Supervisory Authority) and users (Data Subjects) when a breach occurs • Data Controllers must inform the appropriate Supervisory Authority within 72 hours of a data breach occurring or provide a substantial reason for any delay • Data Processors must notify Data Controllers immediately as soon as they become aware of a breach • If a data breach presents risk to users Data Controllers and Data Processors must individually notify affected Data Subjects, without undue delay . • If it’s not possible to provide all required information initially, it can be provided in phases through multiple notifications 21

Recommend


More recommend