My thoughts from Redgate’s SQL Privacy Summit

Last Friday (18th May 18) I attended Redgate’s SQL Privacy Summit in London.  Before I go any further, for those of you who don’t know me, I’m based in the UK so GDPR is very much in the forefront of our minds and I am a Friend of Redgate.

Unfortunately, I couldn’t attend all day as I had a plane to catch and couldn’t be late as I had an early start the next day, as I was doing my other passion, show jumping, at Devon County Show which is a very big deal.  I’m happy to say it was well worth it as I came 2nd in my class with my horse, Tom, photo below.

I took away three key points from the event:

  • My understanding of our requirements as a database developer are pretty much on point.
  • There are still things I don’t know. More about that to follow.
  • I now have an action plan of things I need to do.

My role changed recently from being a DBA across the entire SQL Server estate to working on one specific project and being all things SQL Server for that project.   Whilst I kept thinking about how this would affect me if I was still the DBA that wasn’t my focus for the event.  To summarise my current understanding. 

  • We need to ensure that we have documented processes for everything we do with PII (Personally Identifiable Information) to show we are taking due care for each and every record.
  • When developers say they want a copy of the production database to develop on, they can have it either with no data or with masked data.
    • If they want it with data the steps required are:
      • 1 – clone database
      • 2 – mask data
      • 3 Steve Jones showed how this can be automated using a powershell script to call SQL Clone and SQL Data Masker.
    • All tables and columns need to be classified as to whether they are PII or not.
    • Data loss has to be reported to the ICO within 72 hours.
    • The one thing that came out that I wasn’t aware of was that an unplanned server outage is deemed data loss, so the next question is, how much down time is the threshold for reporting?

Finally, the actions I now plan on taking:

  • As the system I’m working on is very new I’m going to ensure that all data is classified before being source controlled and that all PII columns have data masker rules put on them for the times we need to restore from the Production database.
  • We need to document how we protect the data and the processes taken to move data and where all data is held.

There was one question I had which I’ve probably already answered for myself. That is as a good (hopefully) DBA I always tested my backups once a week with a  restore and DBCC Check DB. This was one powershell script that looped through all production databases and then restored, checked and dropped the databases.  No databases were kept longer than that because I didn’t have enough storage.  Normally if you restore a copy of production outside production you’d need to mask the data but as it was dropped as soon as it was checked I’m hoping that that the masking wont be necessary.

In summary, the event on Friday was really good, it’s always great to mix with other colleagues and Redgaters.  I even bumped into my old boss and spent a lot of time chatting with him and what’s been going on since I left and that all sounds really exciting.

Coming 2nd at Devon County Show with the amazing Tom.