Along with a lot of other people, I’ve been attempting to call people’s attentions to the new General Data Protection Regulation (GDPR) that was created two years ago and becomes effective in May of this year. The regulation defines processes and practices around the privacy and protection of personal data of any EU citizen. While the regulation is defined by the EU, since it’s applicable to the data of EU citizens, the applicability is anywhere that data may exist, even in other countries. So, the GDPR applies to you and your data if you have EU citizens data in your databases. Different countries have trade treaties in effect with the EU which will allow the EU to enforce this, even though you and your data are located somewhere else. None of this is a reason to freak out though.
There’s a lot of emphasis on the penalties of the GDPR. If you violate the regulation, you can be fined up to 20 million euro or 4% of your revenue (note, not your profit, your revenue), whichever is higher. Now if that doesn’t get your attention, you either have literally no data under management or you have a serious reading disability. Further, the definitions of what constitutes a breach of privacy includes unplanned server outages. Yeah, we’re not just talking if you fail to adequately delete peoples data, get hacked, or accidently expose personally identifying information. If your server crashes, you could be fined.
Ok, ok. Calm down.
Here’s the most important thing I can tell you about the GDPR… currently. Because the GDPR has not yet been implemented, there is zero case law that defines the implementation of this regulation. We only have the clear words of the regulation itself and the discussions of what they mean to guide us. Without case law backing the mechanisms and definitions within the regulation, we still don’t know for certain how it’s going to be implemented.
OK, I’m Calm, But What Should I Do?
First, follow the link here and read the GDPR. That’s the single best thing you can do immediately.
Second, I don’t care which country you’re in, if you have the possibility of hosting the data of an EU citizen in your data center, someone in your organization (preferably at the C-level) had better be talking to you (or your boss) about GDPR compliance. I’m not saying you need to run around in circles waving your arms. However, you should be exploring the GDPR and understanding what it might take for your systems to support things like the right to be forgotten. If they are not already on this, you should be raising the issue. You’re the subject matter expert.
Third, make sure that people are really clear that while there are all sorts of technical aspects to ensuring GDPR compliance, it is first and foremost a business issue. Secondarily it’s a legal issue. We technologists are a distant third. In order for you to do any actual work to prepare for GDPR compliance, you need business definitions and buy-in. The business should be guiding you, not you guiding them.
Fourth, do the things that you should already be doing. Ensure your servers are secure, that your firewall is patched and up to date, that you don’t have SQL Injection vulnerabilities, that you know what servers you have, that you know where personally identifying information is stored, all that fun stuff. None of that should be driven by the GDPR. You should be doing it now. However, if you’re not doing it, the GDPR might be the reason to get it done. You’ll also need to be sure you have monitoring in place on your servers, that you have good, tested, backups and a tested disaster recovery plan. Again, all things you ought to be doing now.
Fifth, watch this space. I’ll be tracking this very closely and will write up additional blog posts on the topic. Also, subscribe to my YouTube channel, I’ll be posting a lot of information there as well (and already have posted a couple of videos). Microsoft has some excellent documentation on this too. Finally, check out Redgate, where we are laser focused on this issue. All these resources will help.
The reason your hair should absolutely not be on fire is because you’re already being a proactive data professional and you’ve already implemented all this.
Uhm, Grant, About That Tested DR Plan…
On the other hand, if you are completely in cowboy land, the devs all have ‘sa’ privs on the production servers, you get crashes 15 times a day and your not sure why, monitoring, yeah, we’ll get around to building that at some point, and hey, ad hoc T-SQL without any kind of parameterization is just a whole lot easier to write… That smoke you smell may indeed be your hair.
If you’re not following generally recognized best practices in managing your databases, now is the time to start. Again, begin by bringing the business on board so that they understand why you’re concerned about the systems.
While I am trying to get you to be focused on the GDPR, I really don’t want you to be panicked. There is no reason to be. Until the lawyers really start to define this stuff, we won’t necessarily have anything to worry about. However, a very healthy amount of caution is warranted. Those penalties are nothing to scoff at. So, start doing the things you know you should be doing anyway. Read the regulation. Make sure your business is also being appropriately cautious. Oh, and, worth noting, it’s not just the EU. Japan is passing nearly identical legislation as is Australia. Protecting data and privacy is going to be a fundamental part of all businesses soon. It’s easy enough to calmly start getting ready for that now.