Redgate and DLM Consultants: Working together to help data users become GDPR compliant

Guest post

This is a guest post from Alex Yates. Alex Yates has been helping organisations to apply DevOps principles to relational database development and deployment since 2010. He’s most proud of helping Skyscanner develop the ability to deploy 95 times a day.

Originally for Redgate, later for DLM Consultants , Alex has worked with clients on every continent except Antarctica – so he’s keen to meet anyone who researches penguins.

A keen community member, he co-organises SQL Relay, is the founder of Speaking Mentors and has been recognised as a Microsoft Data Platform MVP since 2017.

If you hold ‘personally identifiable information’ (PII) about EU citizens, the new General Data Protection Regulation (GDPR) applies to you. That’s true even if you aren’t in the EU, since this law is extra-territorial.

This is significant for various reasons, including the fact that the maximum penalties for failing to comply would probably bankrupt your organization. The GDPR is already the law, and enforcement will start in May 2018 – so there’s a limited amount of time to get prepared.

PII data exists in many forms: documents, emails, databases, etc. For the rest of this blog post I’m specifically going to talk about software development and structured databases, but if you’re interested in other forms of data, you might like to learn about the various features Microsoft is adding to Office365.

The GDPR is a massive regulation covering many topics including consent, Data Protection Officers (DPOs), data breach notifications, the right to be forgotten and international data transfers, to name but a few. In this post I’m mainly referring to the parts of the GDPR that relate to security and ‘Privacy by Design and Default’, etc.

In order to make your SQL databases compliant with these aspects of the GDPR, there are four steps you’ll probably need to take, as outlined in the ICO Data Protection Self-Assessment Toolkit:

  1. Detect
    “Organize an information audit, across the organization or within particular business areas; document what personal data you hold, where it came from and who you share it with.”
  2. Classify
    “Look at the various types of data processing you carry out, identify your lawful basis for carrying it out and document it.”
  3. Protect
    “Document what personal data you hold, where that data came from and who it is shared with.”
  4. Monitor
    “Implement appropriate procedures to ensure personal data breaches are detected, reported and investigated effectively.”
    … and …
    “Implement a plan to introduce the new GDPR Data Privacy Impact Assessments (DPIAs) within your business.”

These tasks will be challenging for many organizations to achieve. However, with the urgency and penalties associated with the GDPR, the IT industry is being forced to wake up to the fact that it needs to act more responsibly with sensitive data.

There is a big (and long overdue) opportunity here: the potential penalties make this a good time to ask senior management for the necessary budget/resources required to get our houses in order.

How Redgate and DLM Consultants can help

With so many organizations tackling the problems associated with regulatory compliance, Redgate has been receiving requests from customers for software that can help to solve the various technical challenges.

Organizations need to quickly and easily Detect what data they have, and they want to be able to easily Classify which data is sensitive. Then they want help to Protect the sensitive data and Monitor for compliance.

In response Redgate has been investing heavily in a new suite of tools. You can learn about some of the prototypes here, and you’ll be seeing various new features and products being released over the next few months.

At the same time DLM Consultants has been at the front line. For the last 18 months it’s been busy helping customers to adopt Database DevOps and Database Lifecycle Management (DLM). DLM Consultants has witnessed a growing awareness that IT teams need to improve the way they handle sensitive data within the context of their database lifecycle, but these teams are overwhelmed by the new legislation and need guidance.

Redgate and DLM Consultants both recognize a need for new tooling and expert leadership to support organizations to take effective steps towards the responsible management of sensitive data and associated regulatory compliance.

Over the next few months Redgate will be producing a new suite of software to provide an ‘ingeniously simple’ approach for compliant database development. It will do this by extending some of its existing tools and adding some new ones. If you’d like to join the early access program, let us know.

If you’d like some support, DLM Consultants will be providing free help for a select group of people concerned at the emerging need to manage their data more responsibly. At the same time, the insights gained will be collated and fed back to the development team at Redgate. This will enable Redgate to rapidly refine and polish the software, helping everyone.

If you’d like to join the ‘concierge program’, email DLM Consultants.