Tokern DbAudit and GDPR / CCPA

Rajat Venkatesh — 1/16/2020 — 2 Min Read

General Data Protection Regulation (GDPR) is a law on data protection and privacy in the European Union. More recently, California passed its privacy law, the California Consumer Privacy Act (CCPA). The CCPA law gives rights to consumers regarding how their personal information is collected, sold, or shared by organizations. The rest of the article points to provisions in GDPR only for brevity.

“GDPR & ePrivacy Regulations” by dennis_convert is licensed under CC BY 2.0.

Many of the requirements describe policies and procedures. However, these policies affect the engineering and architecture of IT systems. This article describes how Tokern DbAudit helps with the following provisions:

• "State of the Art" and "Security of Processing" in Article 32
• "Data Accessibility without Permission" in Article 25
• "Logging, Intrusion Detection and Notification" in Article 33 and Article 34

Security of Processing

Article 32 states: "Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller, and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk,..." The following features of DbAudit ensure the security of processing:

• Secure communication using Transport Layer Security (TLS)
• Log in using any Single Sign On provider
• Support IAM login on AWS and GCP
• Support login using certificates

Data Protection by Default

Article 25 states: "In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons." By default, teams do not have access to production databases directly or through DbAudit. Teams receive access after a requisition workflow logs. Moreover, users can be assigned roles that provide access to a subset of the tables and columns (if supported by the underlying database). The following features of DbAudit ensure the security of processing:

• Temporary access to data
• Roles and groups to limit access to specific tables and columns.

Logging, Intrusion Detection and Notification

Articles 33 and 34 state: "The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions meet: the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption."

DbAudit logs actions taken by all components like login, authorization events, and queries and integrates with all popular SIEM applications. Using DbAudit and a SIEM system makes incorporating intrusion detection and notifications simple.

If your company requires these capabilities, check out the project on Tokern DbAudit Github and connect with us via our Slack community!

Similar Posts