Tokern DbAudit and GDPR / CCPA

Rajat Venkatesh — 01/16/20202 Min Read — In GDPR, CCPA, Database Audit

GDPR or General Data Protection Regulation is a EU law on data protection and privacy. More recently, California passed its own privacy law, CCPA or the California Consumer Privacy Act. The CCPA law gives rights to consumers regarding how their personal information is collected, sold or shared by organizations. The rest of the article points to provisions in GDPR only for brevity.


"GDPR & ePrivacy Regulations" by dennis_convert is licensed under CC BY 2.0

Many of the requirements describe policies and procedures. However these policies have a serious effect on engineering and architecture of IT systems. This article describes how Tokern DbAudit helps with the following provisions:

  • "State of the Art" and "Security of Processing" in Article 32
  • "Data Accessibility without Permission" in Article 25
  • "Logging, Intrusion Detection and Notification" in Article 33 and Article 34

Checkout Tokern DbAudit to monitor production usage by devops and support teams

Security of Processing

Article 32 states:

"Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk,..."

The following features of DbAudit ensure security of processing:

  • Secure communication using TSL
  • Login using any popular Single Sign On provider
  • Support IAM login on AWS and GCP
  • Support login using certificates

Data Protection by Default

Article 25 states:

"In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons."

By default teams do not have access production databases directly or through DbAudit. Teams are given access after a requisition workflow that is logged. Moreover users can be assigned roles that provide access to a subset of the tables and columns (if supported by the underlying database).

The following features of DbAudit ensure security of processing:

  • Temporary access to data
  • Roles and groups to limit access to specific tables and columns.

Logging, Intrusion Detection and Notification

Articles 33 and 34 state:

"The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met: the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption."

DbAudit logs actions taken by all components such as login, authorization events and queries. DbAudit integrates with all popular SIEM applications. By using DbAudit and a SIEM system, intrusion detection and notifications can be added easily.

If these capabilities required at your company check out the project on Tokern DbAudit GitHub and connect with us through the chat widget in the bottom right corner.