Insights empowering compliance
Make your DB GDPR-compliant
Helping you adjust your Oracle database assets to the strictest data protection regulation in the world
Want a fancy GDPR for DB-professionals poster?
We have created a nice visualization of the key concepts of GDPR, its impact on the database-related routines and the recommended activities.
Store this in your database?
GDPR regulations require that you abide by the rules if you store PII (Personally Identifiable Information).
Names
E-mail addresses
Location or coordinates
Online identifiers
Health information
Personal profile
Income
Biometric data
Glossary
Personally Identifiable Information
PII is any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual's identity and any other information that is linked or linkable to an individual (medical, educational, financial, and employment information).
Privacy Impact Assessments
PIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation. In other words, a PIA is a process for building and demonstrating compliance.
Data Protection Officer
The primary role of the data protection officer (DPO) is to ensure that her organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules. In the EU institutions and bodies, the applicable Data Protection Regulation (Regulation (EC) 45/2001) obliges them each to appoint a DPO.
Binding Corporate Rules
A a set of binding rules put in place to allow multinational companies and organisations to transfer personal data that they control from the EU to their affiliates outside the EU (but within the organisation.
A journey, not a destination
GDPR is not a one-time certification.
Classify
Identify what personal information you have (and do you really need from 25.05.18 onwards)
Locate
Scan your information assets, primarily databases, to discover, where the personal information resides
Protect
Establish security controls and governance to prevent, detect, respond and report vulnerabilities and data breaches
Monitor
Monitor and audit your data sources regularly to stay compliant and reduce risk
What it means for your database?
GDPR brings along some implications and complications for your DB environment.
Database objects
- Mask all tables containing PII
- Minimize requested PII
- Pseudonumize data sets
- Turn on encryption for affected tables
Databases
- Review granted user rights (also look for orphaned accounts)
- Separate duties, restrict privileged users access
- Enable audit trails and logging
- Regularly run vulnerability tests
- Review your backup/recovery strategy: you might need to delete and opt-out some PII-records from recovery
Servers
- Log and monitor suspicious and irregular user activity
- Set up instant alerts for access violations (you have 72 hrs to report)
- Review access policies, including physical access
- Run comprehensive database and environment reporting
Infrastructure
- Look for outside-EU connections
- Control data transfers outside of EU-area, check for rationale and compliance
72

Hours to inform a regulator, once a breach is discovered.
20

mln EURO or 4% of company's worldwide turnover. A penalty for non-compliance.
13

Years and under. A parental consent is required for data collection.
Preflight checklist
Use professional DBA tools to expedite implementation of GDPR governance.
Implement "data protection by design"
Review your database to make sure it's designed in a way that the data is securely and transparently collected and stored with no compromise on functionality.
Map PII to your database objects
Get a detailed report on your database structure and mark all the entities, containing PII. Make sure you have a clear understanding of their critical security parameters and related scripts.
Regularly check database security
Run comprehensive database self-audits regularly to stay aware of potential vulnerabilities. Fix the breaches, if any, before they get exposed.
Monitor vulnerabilities
Detect and clean up inefficient code or orphaned objects to reduce the risk of possible data leaks and improve overall system performance.
Ensure data portability
Individuals could request their data in a commonly used and machine-readable format. Make sure you can generate transparent and comprehensive cross-system exports.
Address PII-related requests
Locate user- and employee-related PII in your database and get ready to address instantly their inquiries and "right to be forgotten" requests.
Facilitate security and data protection
Encryption has been there since early days, but now get ready to pseudonymize a data set. In this case, "additional information" must be "kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable person."
Review your backups
The 'Right to be Forgotten' (RTBF) affects your backups as well. It obliges you to delete every individual-related information you could have. Specifically tricky are legacy applications with archived data, where to delete it, you need to restore it first.
Watch for cross-border data transfers
You must have complete visibility into how scripts, packages or third-party applications could send the data outside of EU area. Generated data exports are becoming extremely vulnerable.
ClearDB Documenter
Audit and secure your database in minutes.
Insightful
Map the PII across all available instances and visualise even the most complex entity relations. Easily track orphaned objects. Comprehensive information to assess access privileges for scripts and users. Self-audit set up takes minutes, not weeks.

Secure
Intelligent audit detects up to 630 types of security issues, outlining them in a report. Each vulnerability is assigned a risk level, which helps prioritize security measures. Technical info and steps to address each vulnerability are provided, making critical data protection simple even for untrained staff.

Detailed
Deliver comprehensive reports to satisfy personal data requests from customers and Supervising Authorities. Include as many details as necessary, including data location, storage details, right grants, dependencies. Available as text and tables and visually rich content with diagrams.