Wednesday 10 May 2017

European Union GDPR compliance for the DBA

So today I attended a conference on GDPR, I will write more about it in the future.  

But in a nutshell this affects any company that wants to hold data on EU citizens, so basically any one.  Oh and it stays even after brexit.  

I wont in this post go into full details about how it works,  But it has some interesting points that may prove to be impossible to meet as a DBA.

Right To Be Forgotten

One of these is the right to be forgotten, this seams simple enough, just delete them from the database.  But no.... this includes all backups, archives and BI data.  How can a DBA be expected to remove data from an old backup, especially if that backup is on tape.

Data Portability

Another is Data portability, this is similar to the current DPA in that a data subject can request data on them, but differs in that it states that a "structured, commonly used and machine-readable format" must be used. My guess is CSV would cover this.

Retention of data 

Retention of data is also mentioned like the right to be forgotten data must be erased after a set period of time, no real time limits seam to be mention, but its suggested this is after the data subjects data is not useful.  This again could be a mine field to manage.  

Data Access 

This is an interesting one, the suggestion is that data held about the subject should be essay accessible, again hard work, would this then need to be viewed over the web?  If so that would but the data at more risk.

Its all interesting reading.   Watch this space for updates.