Along with a lot of other people, I’ve been attempting to call people’s attentions to the new General Data Protection Regulation (GDPR) that was created two years ago and becomes effective in May of this year. The regulation defines processes and practices around the privacy and protection of personal data of any EU citizen. While the regulation is defined by the EU, since it’s applicable to the data of EU citizens, the applicability is anywhere that data may exist, even in other countries. So, the GDPR applies to you and your data if you have EU citizens data in your databases. Different countries have trade treaties in effect with the EU which will allow the EU to enforce this, even though you and your data are located somewhere else. None of this is a reason to freak out though.
Keep Calm
There’s a lot of emphasis on the penalties of the GDPR. If you violate the regulation, you can be fined up to 20 million euro or 4% of your revenue (note, not your profit, your revenue), whichever is higher. Now if that doesn’t get your attention, you either have literally no data under management or you have a serious reading disability. Further, the definitions of what constitutes a breach of privacy includes unplanned server outages. Yeah, we’re not just talking if you fail to adequately delete peoples data, get hacked, or accidently expose personally identifying information. If your server crashes, you could be fined.
Ok, ok. Calm down.
Here’s the most important thing I can tell you about the GDPR… currently. Because the GDPR has not yet been implemented, there is zero case law that defines the implementation of this regulation. We only have the clear words of the regulation itself and the discussions of what they mean to guide us. Without case law backing the mechanisms and definitions within the regulation, we still don’t know for certain how it’s going to be implemented.
OK, I’m Calm, But What Should I Do?
First, follow the link here and read the GDPR. That’s the single best thing you can do immediately.
Second, I don’t care which country you’re in, if you have the possibility of hosting the data of an EU citizen in your data center, someone in your organization (preferably at the C-level) had better be talking to you (or your boss) about GDPR compliance. I’m not saying you need to run around in circles waving your arms. However, you should be exploring the GDPR and understanding what it might take for your systems to support things like the right to be forgotten. If they are not already on this, you should be raising the issue. You’re the subject matter expert.
Third, make sure that people are really clear that while there are all sorts of technical aspects to ensuring GDPR compliance, it is first and foremost a business issue. Secondarily it’s a legal issue. We technologists are a distant third. In order for you to do any actual work to prepare for GDPR compliance, you need business definitions and buy-in. The business should be guiding you, not you guiding them.
Fourth, do the things that you should already be doing. Ensure your servers are secure, that your firewall is patched and up to date, that you don’t have SQL Injection vulnerabilities, that you know what servers you have, that you know where personally identifying information is stored, all that fun stuff. None of that should be driven by the GDPR. You should be doing it now. However, if you’re not doing it, the GDPR might be the reason to get it done. You’ll also need to be sure you have monitoring in place on your servers, that you have good, tested, backups and a tested disaster recovery plan. Again, all things you ought to be doing now.
Fifth, watch this space. I’ll be tracking this very closely and will write up additional blog posts on the topic. Also, subscribe to my YouTube channel, I’ll be posting a lot of information there as well (and already have posted a couple of videos). Microsoft has some excellent documentation on this too. Finally, check out Redgate, where we are laser focused on this issue. All these resources will help.
The reason your hair should absolutely not be on fire is because you’re already being a proactive data professional and you’ve already implemented all this.
Uhm, Grant, About That Tested DR Plan…
On the other hand, if you are completely in cowboy land, the devs all have ‘sa’ privs on the production servers, you get crashes 15 times a day and your not sure why, monitoring, yeah, we’ll get around to building that at some point, and hey, ad hoc T-SQL without any kind of parameterization is just a whole lot easier to write… That smoke you smell may indeed be your hair.
If you’re not following generally recognized best practices in managing your databases, now is the time to start. Again, begin by bringing the business on board so that they understand why you’re concerned about the systems.
Conclusion
While I am trying to get you to be focused on the GDPR, I really don’t want you to be panicked. There is no reason to be. Until the lawyers really start to define this stuff, we won’t necessarily have anything to worry about. However, a very healthy amount of caution is warranted. Those penalties are nothing to scoff at. So, start doing the things you know you should be doing anyway. Read the regulation. Make sure your business is also being appropriately cautious. Oh, and, worth noting, it’s not just the EU. Japan is passing nearly identical legislation as is Australia. Protecting data and privacy is going to be a fundamental part of all businesses soon. It’s easy enough to calmly start getting ready for that now.
Sounds like healthy C-level Data Governance, if you don’t already have solid Data Governance in place GDPR may be the impetus your company needs.
Yeah, exactly. To a large degree this is a very hard wake up call to start dealing with data the way we know we’re supposed to. There’s not that much that’s really all that disturbing (except the penalties). It’s largely about getting stuff right.
Grant, are you volunteering to be the 1st to test GDPR through the courts? With an 8digit fine attached?
For the UK the new regulations are simply a souped up version of the old DPA with greater clarity and sharper teeth so I am not sure that it really is untested. The regulations became active in May 2016 with a two year running in period. It’s the two year running in period that is ending.
Maybe you’re right, but it’s one hell of a gamble
NOT IT!
Seriously though, no, I don’t want to be the test case. You know there’s going to be a Forlorn Hope and I have no wish to take part in it.
That said, I still think the best approach is not to panic. We should ensure that we are following best practices, that we have well defined data management policies that we can publish, that we’re at least preparing for the “right to be forgotten”, and that our overall approach to IT is safe and sane.
If we don’t have good data management practices, it’s now WAY past time to get them, but it’s still not a reason to panic.
[…] put up GDPR: Your Hair Is Not On Fire appeared first on Grant […]
Note that GPDR does not have to be implemented in UE members law systems – the GPDR is applied directly.
[…] Read More (Community […]
I witnessed the gasps of horror when you presented the ‘Unplanned server outage constitutes a breach” section of this at SQLBits earlier this year Grant.
Do you think an unplanned server restart would also constitute a breach? There’s outage for sure (briefly), but it’s controlled (unless the server doesn’t return to life, in which case it’s outage. Just asking for a friend really…