On May 25, 2018, the General Data Protection Regulation (GDPR) will take effect, and it will impact the way your organization collects and manages customer data in Europe. GDPR effectively replaces the data protection directive 9546EC, and is not just applicable to companies in the EU, but to any company offering goods or services in the EU. GDPR focuses on personally identifiable information (PII), inclusive of names, pictures, emails, phone numbers, and birth dates. And, some countries in the EU may even go as far as to include IP addresses.
This will require changes to your business processes along with IT applications and infrastructure updates. What does this mean for your databases? What are the key articles that you, your DBA, or anybody working with your databases, need to understand.
Before taking on GDPR, there are a few important elements that must be understood about its context. First, GDPR makes a differentiation between being a “controller” of data or a “processor” of data. In the context of GDPR, a controller is considered an organization that collects data, has data, houses data, and manages data, while a processor may be a third party company receiving data from the controller and doing something for the controller. When assessing your GDPR obligations, you need to understand which you are. Are you a controller, a processor, or a little bit of both?
The second element to realize is that this regulation has teeth, and teeth that can bite hard, so you need to take it seriously. The fines for GDPR violations can range between 2% and 4% of revenue, limited only by 10 million euros ($12.5 million) or 20 million euros ($25 million) per occurrence. More details regarding the specifics of the fines and penalties can be found here.
And finally, you need to recognize that GDPR is not explicit about the technical implementation required to be in compliance. Best practices are still emerging. We'll share with you what we know at this point in time. But it's really important that you continue to keep your ears to the ground and understand how this is evolving so you can stay current.
If you have not done so yet, start by reading the GDPR documentation. It is 256 pages long, with 99 articles, and a significant preamble, but it is worth the read. I read the whole thing, and doing so helped put GDPR into a useful context.
Not all 99 articles are relevant for a DBA; the relevant articles include:
ARTICLE 17 — Right to be forgotten, i.e., the right to erasure
ARTICLE 20 — Right to data portability
ARTICLE 25 — Data protection by design and by default
ARTICLE 32 — Security of processing
ARTICLE 33 — Notification of breach to the supervisory authority
ARTICLE 34 — Notification of breach to the data subject
In our webinar, 5 Ways to Make Your Postgres GDPR-Ready, I explore each of these articles in detail, discussing how they will impact your organization, your databases, and your accountability. We encourage you to watch our webinar, download the slides, and read the GDPR documentation.
GDPR may be long, but it is important to understand the details of this regulation. And frankly, it might help you drive the change within your organization to do things that you have known for a long time are the right things to do.
Consult with peers and get advice. And then get in touch with us. As a global organization, EnterpriseDB® (EDB™) works to understand the government regulations in place all around the world, not just those affecting the U.S. We work with many major credit card companies and financial institutions, and are continually deepening our knowledge for how to deal with the requirements of GDPR. Talk to us about your infrastructure, and we can help you make sure that it is well supported and robust. Plus, we offer a lot of free Postgres training that is truly free, and can help your teams become Postgres certified. Take advantage of the available resources, because there are just over one hundred days left until GDPR takes effect. But who's counting?
Marc Linster, Ph.D., is Senior Vice President, Product Development, at EnterpriseDB.
(Originally posted 02/12/2018 on the EDB website.)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.