When most of us think about data protection, we probably think about database backup and recovery – creating a safe copy of your data that you can restore if it’s lost or becomes corrupted – and you wouldn’t be wrong. However, data protection now has a broader meaning as data becomes the critical business resource that companies depend on to support successful digital transformations that lead to growth and revenue into the future.
As we recently marked the third anniversary of the introduction of the General Data Protection Regulations (GDPR) in Europe on May 25, it’s a good time to reflect on how well prepared you are for compliance with data privacy regulations and what you are doing to protect the personal and sensitive data in your organization.
There has been extensive press coverage over the last few years involving well-known companies who have been financially penalized under the GDPR for breaches of personal data (Google, Facebook, Uber, Microsoft, etc). This has raised concerns in many companies about what a data breach would mean to them in terms of financial impact, reputational damage and potential loss of business.
As a consequence, there has been a tangible re-focus on the needs of individuals and their rights to have their sensitive data protected. Regulatory instruments such as GDPR, HIPAA, SOX, PCI DSS and others can impose large fines on companies who fail to comply.
The California Consumer Protection Act (CCPA) came into effect in January 1, 2020 and, like the GDPR, requires organizations to obtain consent from individuals to collect and use their data, and then disclose how their organizations will use that data.
Start with a data inventory
As organizations begin to evaluate their data landscape, they should consider the following questions: What kind of data do we store, who has access, where is it stored and is it secure? This provides a good starting point to evaluate the data across the organization.
Performing a regular data audit will help promote visibility and provide DBAs with a better view of the data protection processes that might have been neglected over time.
This is where Enterprise Architecture and Business Process Modeling play a part in helping to map out the structures, behaviors and processes of the business and relate them to your business objectives and strategic initiatives, such as cloud migration.
You then need to establish the relationships between your business processes and your data assets in order to track the data to maximize security, quality and value and to support good data governance. This combination of data cataloging and data literacy is what we refer to as Data Intelligence.
Once you understand the IT infrastructure that supports your business, you can begin to see where the servers and database are that store this data. Now you can begin the task of identifying areas that need data protection.
Leverage independent experts with in-depth knowledge of the regulations
Having the appropriate staff in place will make all the difference in applying data policies. In recent years, we’ve seen an increase in the number of appointments of a Chief Data Officer (CDO), whose job it is to set the data protection policy. Having a presence at the top of the organization ensures policies are put into practice correctly.
If appointing a policy executive in your C-suite is beyond your budget, consider leveraging an independent expert to evaluate your organization and provide advice on upcoming policy changes (if they are fluent in the appropriate regulations, it tends to help). For example, under the GDPR, it is strongly recommended to hire a Data Protection Officer (DPO), whose job it is to advise the business on what processes and practices they need to ensure they remain compliant and to help mitigate against the risk of fines and reputational damage.
Having the appropriate people at the operational level ensures that business is occurring inside a regulatory framework, and prepares the IT community to understand how new policies will affect the management of their databases.
Try Toad free for 30 daysWant to try before your buy? Sensitive data protection is available in Toad for Oracle Professional DBAdmin Subscription Edition and above. Try it for free, in 30-day trial of Toad for Oracle. Free 30-day trial of Toad for Oracle Questions? Volume discounts? Want a demo? Talk with an expert. |
How to identify and protect personal data
According to the 2020 Insider Threat report, 90% of companies feel vulnerable to insider attack, with 53% confirming insider attacks in the last 12 months.
These surprising facts indicate that vulnerabilities may exist inside your organization – even development and test databases, that also contain sensitive information.
Clearly, data protection across your enterprise is going to be a huge undertaking. The good news is, you don’t have to protect all of it under data privacy regulations, since most won’t contain any personal or sensitive information. The bad news is that trying to figure out which specific data needs to be protected under GDPR or CCPA or other regulations is still a huge undertaking.
The other complication is that for companies who build, test and deploy their own applications, developers and testers need access to production data to perform effective testing, especially as businesses strive to be more agile, leverage DevOps practices and use automated software delivery pipelines that require things to move faster.
Provisioning of production data that contains personal and sensitive information to development and testing personnel is a major challenge for IT operations staff.
What’s needed is a way to scan and identify personal and sensitive data automatically, based on pre-defined rules or templates that are built for specific data privacy regulations. Having identified the tables and columns in the database, it’s then a fairly straightforward step to apply the appropriate data protection measures.
The measure to be applied depends on the environment in which the data lives. For production databases, data redaction or encryption makes the most sense, since it doesn’t physically change the data.
However, using encrypted data for unit testing won’t work, since it would have to decrypted by the testing tool. In this case, data masking is the preferred option. Masking physically changes the data but retains the data type and size.
Having identified the data that needs to be protected, it’s now much easier to set up auditing protocols on your production databases targeted to transactions that use this data. Since transactional auditing can be resource-intensive on the database, this approach enables the right balance between the need to protect data with the need to ensure good application performance.
GDPR, CCPA and other data privacy regulations have changed the way organizations around the world look at data and have dramatically changed the way organizations store user data.
Most businesses are effectively data companies, which means all organizations need to take data privacy seriously. To be good citizens of the world, we must first be good students and learn from the changing policy around us. Our data depends on it.
Useful resources:
Video:Just learning about sensitive data protection? Watch this 2-minute video.
Tech brief:Find out how you can search for sensitive data in this 2-page tech brief.
White paper:8 Questions DBAs Need to Answer About Data Privacy and Protection.
Product page: Visit our product page on Quest.com to learn how you can find and control sensitive data across all your Oracle databases.
Related Toad World blog posts:
How to define sensitive data rules and default policies
Amphibian Evolution, GDPR and Sensitive Data Protection
Toad for Oracle Sensitive Data Protection Module FAQ
Guide to the Toad for Oracle Sensitive Data Protection Module
Questions? Start a discussion.
Have any additional questions? Click Start Discussion and this blog topic will be transferred to the Toad World Forum.
Start the discussion at forums.toadworld.com