Contact us


Oracle’s recommendations for GDPR

How to ensure GDPR compliance using Oracle database products

Continuing our series of short guides to help you navigate GDPR, today we outline how Oracle recommends that you tackle some of the tasks covered in previous blogs.

Download the free GDPR eBook

Step 1: Assess

For this stage, you need to focus on 3 sections of the regulation;

  • Article 35 – Conduct impact assessment of your current processes on the protection of personal data
  • Recital 90 – For those processes identified as high risk, carry out a full data protection impact assessment
  • Recital 91 – Assess the impact of monitoring of publicly accessible areas in relation to GDPR

Oracle has recommended the following tools to help you effectively assess where you are:

Oracle Enterprise Manager’s Database Lifecycle Management Pack

Using this tool you can assess the security profile of your Oracle Databases by scanning the configuration.

Oracle Enterprise Manager’s Application Data Modeling

This will help you assess the sensitive data landscape by scanning database columns for sensitive information.

Oracle Database Vault Privilege

This will help you assess the sensitive data landscape by scanning Oracle Database roles and privileges.

Oracle Database Security Assessment

This tool evaluates your database security configuration , as well as deployed security policies, states of users, roles and privilege grants.

Step 2: Prevent

For this stage, you need to focus on:

  • Article 32 – Implement appropriate technical and organisational measures to ensure an appropriate level of security
  • Recital 83 – Evaluate risks and implement measures to mitigate
  • Article 6 – Where additional data has been collected, take into account appropriate safeguards such as encryption or pseudonymisation

Oracle Advanced Security

Transparent Data Encryption to encrypt the data, data redaction to pseudonymise the data in production applications.

Oracle Data Masking and Subsetting

Anonymises the data in non-production applications, this also supports Recital 26 which states that if data is anonymous, the regulation does not cover this type of data.

You can also use this application to delete the data, or extract to different location, in support of article 5 which states that: “Personal data shall be adequate, relevant and limited to what is necessary…”

In addition, look at:

  • Recital 64 – The controller should use all reasonable measures to verify the identity of a data subject who requests access…

Use strong authentication techniques such as SSL or Kerberos with Real Application Security (RAS) to verify the identity of the database and application users accessing sensitive information.


Step 3: Detect

For this stage, look at:

  • Article 30 – Each controller shall maintain a record to processing activities…
  • Recital 32 – In order to demonstrate compliance with this regulation, the controller or processor should maintain records of processing under its responsibility
  • Article 33 – In case of breach, the controller, without delay, shall notify the supervisory authority within 72 hours

Oracle Database Auditing

Enables and maintains records of processing

Oracle Fine Grained Auditing

Records or audits specific activities of users, such as SELECT on sensitive data

Oracle Audit Vault and Database Firewall

Centrally stores and manages the records of processing, as well as overall monitoring and timely alerting to suspicious behaviour.

We’ve provided lots of advice for customers in this area, and can help you make the most of your current technical set up to ensure compliance. Get in touch for a healthcheck, or simply some advice.

Apply for a GDPR health check