iQoncept - Fotolia

What the Microsoft GDPR compliance toolkit offers for SQL Server

The set of GDPR compliance tools that Microsoft offers for SQL Server is designed to make it easier for users of the database software to adhere to the EU's new data rules.

The European Union's new GDPR law requires businesses to properly secure the personal data of EU residents or face big financial penalties. With their reputations and money on the line, many companies need to change their data management practices to better protect customer data and govern its use -- something Microsoft is looking to help SQL Server users with.

To aid in complying with GDPR -- formally known as the General Data Protection Regulation -- Microsoft offers a variety of tools and features supported by SQL Server and its cloud-based Azure SQL cousin.

In a recent webinar, Frederico Pravatta Rezende, a senior product marketing manager at the software vendor, outlined the available Microsoft GDPR compliance options and discussed how they can help meet the law's strict data privacy and security standards. The stakes are high, Rezende noted.

The new regulation, which will take effect on May 25, 2018, covers organizations based in the EU and companies located elsewhere that do business with residents of EU countries. Businesses that fail to comply with the GDPR rules can be fined up to €20 million or 4% of their annual global revenue -- whichever amount is greater. Also, customers may be less likely to want to do business with a company that is perceived as being careless with their personal information.

How does the GDPR define personal data?

When it comes to keeping personal data that's stored in SQL Server systems safe -- and complying with GDPR -- Rezende suggested a four-pronged plan of attack for database administrators (DBAs) in the webinar and an associated blog post.

Identify what personal data you have and where it resides in your databases. The Microsoft GDPR compliance strategy starts with categorizing personal data via the use of SQL Data Discovery & Classification, a tool built into SQL Server Management Studio (SSMS). The tool scans databases and identifies columns that may contain sensitive data. It then recommends sensitivity classifications based on the findings, Rezende said.

As a result, DBAs are able to categorize personal data within a database faster and with less effort than if they had to examine the data manually. Columns that require more advanced auditing and protection can be tagged with labels and ranked on how sensitive the data they contain is.

Additionally, the sensitivity of query result sets can be calculated in real time, making the auditing process more efficient, according to Rezende. Reports generated by SQL Data Discovery & Classification can be viewed in a dashboard or an Excel spreadsheet.

Manage how personal data is accessed and used. dynamic data masking, which was added in SQL Server 2016, enables DBAs to control who can -- and more importantly, who can't -- access sensitive data, Rezende said. End users who lack proper authorization and access privileges can't read the masked data because elements of it are hidden from them. Data masking can be applied in real time and is also supported in Azure SQL Database.

Similarly, row-level security, another feature introduced in SQL Server 2016, gives DBAs control over specific rows in database tables. It enforces logic to restrict access to rows inside the database itself, as part of the schema that is bound to a table, and does filtering of rows in multi-tenant applications to prevent unauthorized access, Rezende said.

Protect personal data against data breaches and other security threats. The Microsoft GDPR compliance tool set detailed by Rezende also includes Always Encrypted, a security feature that enables DBAs to encrypt data when it's at rest, in motion or in use -- including when it's being updated. This protects the data from unauthorized users regardless of their access privileges, he said. Also added in SQL Server 2016, Always Encrypted can be configured for individual database columns that contain particularly sensitive data, and column encryption keys and column master keys can be used to protect important data.

Among other tools for implementing security controls, Rezende highlighted Azure SQL Threat Detection, which identifies unusual and potentially malicious activities in Azure SQL Database. The tool alerts DBAs to suspicious actions, such as SQL injection attacks, and warns them of potential vulnerabilities. Azure SQL Threat Detection also recommends steps that DBAs and data security managers should take to investigate, mitigate and defuse threats.          

Report on all anomalous activities regarding personal data. SQL Vulnerability Assessment, a feature added in the SSMS 17.4 update that Microsoft released in late 2017, helps meet GDPR's security standards and compliance requirements by continuously tracking and analyzing database security measures, Rezende said. The tool regularly scans SQL Server database environments and identifies security vulnerabilities, then provides remediation recommendations to resolve the issues.

DBAs deploying Microsoft GDPR compliance tools can also track and log system events with SQL Server Audit, a program built into the database management system. Through prebuilt templates, it can be used to create user-defined audits of database and server events, enabling them to run simultaneously, according to Rezende.

Next Steps

Use these six SQL Server sample databases

Dig Deeper on Database management