Free online webinar
Free 1-day local training
Local user groups
around the world
Online special interest
Free Online Resources
Download the GuideBook App and
search: PASS Summit 2018
Follow the QR code link displayed on session
signage throughout the conference venue and in
the program guide
Your feedback is important
Go to passSummit.com
3 Ways to Access:
Submit by 5pm Friday, November 16th to win prizes.
Data Platform Architect at Microsoft, EDU Team
Former Technical Intelligence Manager, Delphix
• Multi-platform DBA, (Oracle, MSSQL, MySQL,
Sybase, PostgreSQL, Informix…)
• Oracle ACE Director, (Alumni)
• Oak Table Network Member
• Idera ACE Alumni 2018
• STEM education with Raspberry Pi and Python,
including DevOxx4Kids, Oracle Education
Foundation and TechGirls
• Former President, Rocky Mtn Oracle User
• Current President, Denver SQL Server User
• Linux and DevOps author, instructor and
• Blogger, (http://dbakevlar.com) Twitter:
• GDPR, (General Data Protection Regulations) went into effect for world
compliance to the EU requirements on May 25, 2018.
• Doesn’t just cover websites.
• Was put into effect in the EU on January 2017.
When did most of EU start to panic about GDPR?
When did most in the US start to panic about GDPR?
What is the maximum fine if charged with violation of GDPR?
• With Brexit, England will be
leaving the EU.
• Who thought Norway WAS
part of the EU?
• Who isn’t surprised that
Switzerland isn’t part of the
• What is citizens are
traveling, staying or online?
What is GDPR Critical Data?
• Any data that belongs to an EU citizen.
• Name, address and/or phone number
• Email address or URL
• Banking Details
• Social Security Number
• Medical Information
• IP Address
• Posts on Social Media
Fines with GDPR Non-Compliance
The data breach penalties are either a fine of up to €10 million
or 2% of annual revenue, or up to €20m or 4% of annual
What is the DBAs Role in GDPR?
• You have the role of controller and protector of the data.
• You will be responsible for:
• Identifying critical data.
• Auditing and a process to continue to identify critical data.
• Formal process to update or remove critical data.
• Ability to report on GDPR compliance.
• Although quite detailed, you must have the following to be compliant:
• The citizen has given consent to the processing of his or her personal data;
• You must have contractual obligations with a individual, or for tasks at the request of a data
subject who is in the process of entering into a contract;
• It must comply with a data controller's legal obligations;
• It must protect the vital interests of a data subject or another individual;
• Must perform a task in the public interest or in official authority;
• It must be for legitimate interests of a data controller or a third party, unless these interests are
overridden by interests of the data subject or her or his rights according to the Charter of
Fundamental Rights (especially in the case of children).
“There is a general lack of agreement about what exactly
GDPR compliance is…”
Senior Director for Public Policy
ACT | The App Association.
Companies must provide REASONABLE levels
of data protection-
what does this mean?
Claudette Meets GDPR Project
• Used an AI tool, (Claudette) in June, 2018, to assess automatically whether privacy policies
were compliant for GDPR for 14 companies
• The companies, (Amazon, Apple, Microsoft, WhatsApp, Twitter, Uber, AirBnB, Booking,
Skyscanner, Netflix, Steam and Epic Games) were chosen as the most used services in a
selection of sectors and as good examples.
• Claudette expected the compliance to be comprehensive of all required information to GDPR
and comprehensible to anyone working with it.
• There was a golden standard devised, a model that Claudette used for the assessment.
• All fourteen companies failed the assessment.
Claudette Lessons Learned
• None of the companies provided all the information required by GDPR
• Data processing is continually at odds with how GDPR requirements assume
• No banner agreement on a website conveys agreement to privacy policies for
GDPR to a website, (which we’ll cover more later on.)
• Due to the complex wording and lacking information in policies, it’s almost
impossible for any user to know what they’ve agreed to regarding their data
privacy where GDPR is concerned.
Introduction to Claudette
• Companies are already strapped with standard regulatory
requirements and security issues.
• Due to demands from SOX, HIPAA and PII
• GDPR has raised the pofile of data privacy and cybersecurity to a
buzzword within the C-level.
• The rise of the Chief Security Officer, (CSO) has begun.
• By the May deadline, it was an $8 billion investment
This is a Technical Overview of Handling GDPR
So what can you do with GDPR to cover your ass(ets)?
Adopt Cybersecurity and Privacy Framwork
• Use a common framework, approved as compliant with GDPR for
policies and procedures.
• Have the buy in from the entire IT department and the business
• Well documented policies with clear and concise terminology of
what is covered.
• As enhancements or new features are added, ensure that
documentation is up to date.
Third Party Vendors
• Third party vendors must take appropriate steps to be GDPR
• Data residing in their systems.
• Data in transit
• Shared with third parties or partners.
• As the source who collected the data is accountable, not the third
party, this is as important as securing your own systems.
• Have a full contract stating what is covered by the GDPR
Build it into EVERYTHING.
Consider incorporating secondary
authentication into smart phones using
smart unlocks and smart scans.
Having a Sign-off Agreement Isn’t enough
• Many sites have GDPR agreements on their web portal or site.
• This is simply an agreement that says the customer knows the site collects
personal identifying data.
This is not GDPR
At the Web Tier, you must
• Know what data is cached or stored at the web tier.
• Have a process to audit and remove if requested from the user.
• Have a way to track all of these procedures.
• Diagrams must map where
data is located and where
it goes inside every data
system in the company.
• Identify Where Data is Stored:
• Flat files, including workstation copies of MS
Access, Excel and even Notepad.
• Consider adding encryption at the
application and host level.
• Purge system of unnecessary copies that
could result in a breach.
• Build audit procedures into transactional
applications that will track GDPR data.
• To enhance performance and ease
• Localized datasets in analytics tools
• A Tabular data model in an Analysis
Server is still data stored outside of
the source database.
• Know that data sets that are found
in analytics tools, (like Power BI)
may come from relational
databases, Access, Excel and CSV
• Ease of access results in complex
auditing of analytics systems.
Form A GDPR Team
• Business User
• Application Support
• System Administrator
• Database Administrator
• Project Manager
How to Take on a GDPR Project
• Identify areas under GDPR
• Create outline of what data must be protected.
• Design processes and procedures to identify critical data.
• Use third party tools and features for auditing and mature tracking of
• All team members MUST understand the importance of GDPR.
• Data cached at application level and
available to users.
• Flat files that may support data,
along with keys that may be
vulnerable and used for encryption.
• Analytics Data and tabular models
that may store critical data
• Backups, data retained for records.
All environments are not created
• Treat applications and analytics
to the same requirements if
data is stored within.
• Don’t implement the same
solutions to development, test
and QA/Unit testing as staging
• Obfuscates data with the user of encryption keys.
• Without the appropriate key and/or password, the data
• Limits risk if data is breached outside the data, even if
the access is at the host level, as the data is still
• Beneficial when data is accessible from public networks
• Does not replace security procedures- at host and
• Excellent to protect from data “above
• Less acceptable in terms of breeches or
commandeered data environments.
Don’t rely on this solution for
enterprise data protection of critical,
and Masking of
• Is different, (PII, HIPPA, PCI, etc.) as it
renders the information useless from
a security standpoint, even if there is
a full copy of the database breeched.
• Resolves both the technical and
personal responsibility issue.
• The data can be masked before it
moves to non-production, removing
• As discussed, 80% of data on average
• Must have a robust discovery and
• Masks all data and if it does it for
strings in data stores and flat files,
this is a bonus!
Don’t Store These in the
• Encryption keys
• License keys
• Environment passwords and
• AND Database Passwords
Passwords should never be in
Use Azure Key Vault
Block Chain is
Not so much for GDPR
• Immutable digital ledger
• Stored in a block
• Added to a chain once verified
This makes it very difficult for
Blockchain Requires Unique Procedures
The Future with Data
• Eleven other states will have similar data
protection and breach notification laws going in
front of voters this election.
• There is an added complexity that its state
driven vs. federal, (i.e. like EU’s solution)
• July, 2018, Senator Mark Warner released a
position paper that’s gaining a lot of attention
and encompasses the major areas of GDPR.
• New companies who will make it their business
to audit companies, collect fines and profit from
part of this money that is agreed upon with the
• Google’s “Framework for Responsible Data
Protection Regulation” was released in
September, a month before the 500K breach.
More companies are expected to follow suit.
• A GDPR Security Team is a must for any company
• Identification of all GDPR data is essential
• Business users must understand the importance of
• Most GDPR violations will be found to be
unintentional by users making copies from
• Analytics Environments and Block Chain create
complex challenges for GDPR
• Work to combine other security projects and
frameworks into one with GDPR, (CCPA, SOX, HIPAA,
etc.) to create efficiency.
Data is the
• Big Data
• Analytics tools
• Application tier
Not the only place data resides
Invest in policies that make sense and can grow with
Dedicate resources to GDPR, but combine them with
other security groups when possible.
Incorporate cybersecurity as the first line of defense.
Not all data obfuscation is the same.
Don’t treat all environments the same.
Data doesn’t just reside in the database.
Learn more from Kellyn Pot’Vin-Gorman
PASS Summit 2018 Slides
Presentation on GDPR in the Microsoft sphere.