How to ensure GDPR compliance using Oracle database products
Continuing our series of short guides to help you navigate GDPR, today we outline how Oracle recommends that you tackle some of the tasks covered in previous blogs.
Step 1: Assess
For this stage, you need to focus on 3 sections of the regulation;
- Article 35 – Conduct impact assessment of your current processes on the protection of personal data
- Recital 90 – For those processes identified as high risk, carry out a full data protection impact assessment
- Recital 91 – Assess the impact of monitoring of publicly accessible areas in relation to GDPR
Oracle has recommended the following tools to help you effectively assess where you are:
Oracle Enterprise Manager’s Database Lifecycle Management Pack
Using this tool you can assess the security profile of your Oracle Databases by scanning the configuration.
Oracle Enterprise Manager’s Application Data Modeling
This will help you assess the sensitive data landscape by scanning database columns for sensitive information.
Oracle Database Vault Privilege
This will help you assess the sensitive data landscape by scanning Oracle Database roles and privileges.
Oracle Database Security Assessment
This tool evaluates your database security configuration , as well as deployed security policies, states of users, roles and privilege grants.
Step 2: Prevent
For this stage, you need to focus on:
- Article 32 – Implement appropriate technical and organisational measures to ensure an appropriate level of security
- Recital 83 – Evaluate risks and implement measures to mitigate
- Article 6 – Where additional data has been collected, take into account appropriate safeguards such as encryption or pseudonymisation
Oracle Advanced Security
Transparent Data Encryption to encrypt the data, data redaction to pseudonymise the data in production applications.
Oracle Data Masking and Subsetting
Anonymises the data in non-production applications, this also supports Recital 26 which states that if data is anonymous, the regulation does not cover this type of data.
You can also use this application to delete the data, or extract to different location, in support of article 5 which states that: “Personal data shall be adequate, relevant and limited to what is necessary…”
In addition, look at:
- Recital 64 – The controller should use all reasonable measures to verify the identity of a data subject who requests access…
Use strong authentication techniques such as SSL or Kerberos with Real Application Security (RAS) to verify the identity of the database and application users accessing sensitive information.
Step 3: Detect
For this stage, look at:
- Article 30 – Each controller shall maintain a record to processing activities…
- Recital 32 – In order to demonstrate compliance with this regulation, the controller or processor should maintain records of processing under its responsibility
- Article 33 – In case of breach, the controller, without delay, shall notify the supervisory authority within 72 hours
Oracle Database Auditing
Enables and maintains records of processing
Oracle Fine Grained Auditing
Records or audits specific activities of users, such as SELECT on sensitive data
Oracle Audit Vault and Database Firewall
Centrally stores and manages the records of processing, as well as overall monitoring and timely alerting to suspicious behaviour.
We’ve provided lots of advice for customers in this area, and can help you make the most of your current technical set up to ensure compliance. Get in touch for a healthcheck, or simply some advice.