One of the most common questions I get regarding GDPR is:

Before I even get a chance to reply they continue:

– I am a small company. I cannot afford to pay for a secure database or, GDPR does not apply to me…
– Can I use Google Drive or Dropbox?

Let’s start with the basics because firstly, I’d like to address the confusion around GDPR and the goal of these regulations, and secondly, talk about what you can and cannot afford, and what the best choice for you is.

Selecting a database for the needs of your business is not a one size fits all. There are certain factors that define which database you need for your data. Here are the major ones:

I. Data:
1) The type of data held in the database
2) The amount of data held in the database
II. Access:
3) Who will have access to it (internal or external to the company)
4) How they will access it (authentication methodology)
5) Will they have access through a private corporate network or will the database be available on the internet?
III. Security and control:
6) What kind of internal security mechanisms are in place to protect the data in case something goes wrong in the top level?
7) Do you have the control of the database protection or is it dependent on a third-party provider?
8) How do you evaluate the third-party provider’s security measures and define if they are in line with your GDPR goals?
9) Is the provider in Europe or in another continent i.e. the US?
10) How do you control the external processors’ compliance to GDPR with your data?
11) What will be the impact if this data if breached?
IV. Training:
12) Are the personnel accessing the database trained accordingly to avoid cyber-attacks and mistakes?

Obviously, I cannot give you all the knowledge to think and evaluate the replies to all of these issues in an article [I have a full training that answers these and many other questions in case you are interested], but I will do my best to explain the starting point for GDPR compliance and protection of your data from breaches and cyber-attacks.

Want a little help?

Price does not define the security qualities of the database.

Let’s take an example.

Google Drive and Dropbox are just tools like any other. It is our responsibility to use the right tool for the appropriate case. They are not intended for corporate use and clients’ data protection. They have poor security by default, but most importantly, neither Google, nor Dropbox will be held liable for how you use their tools. If something goes wrong they are not liable for the data you decide to add to that account as the controller (data owner based on GDPR terminology).

On the other hand, YOU are responsible for selecting the appropriate platform for specific data. The selection of the platform has to be based on the factors I outlined above. By “appropriate” I am referring to the measures & controls related to the specific account.

So, the first step is to define what data you have. Based on that data a security professional will help you with the right place holder for your data; whether this is a private database or a cloud provider that answers your needs and provides necessary protection for your client data.

Let me demonstrate what I mean with an example. Currently, I collaborate with one of the biggest paid cloud providers in the world. I will not mention the name because it would be a promotion, but to understand what I mean by “biggest” – even governments use their cloud.. Here is their stand on GDPR: they will not be held liable for the way each one of their clients use their products.

They requested my services in order to guide their clients on how to use and maintain it in the best possible way to avoid attacks because they want to support their clients. It is clear however, that the sole responsibility for the type of data and its maintenance lies with the company using the services, not the one providing it.

Now let’s clarify something very important. If what they say they offer does not work properly and, as the result, many clients are affected, they as the provider will be held responsible. But if a client decides to place sensitive data to their database with incorrect properties and setup, it’s not the fault of the cloud services provider.

You have to understand though that database selection is not a panacea.

You may select the best database for your case, but this is not enough.

Thus, you need to:

• setup additional security measures,
• develop the appropriate policies and procedures for access, use and maintenance of the database, and
• most importantly – you need to train your personnel on how to use it appropriately.

If you skip any of the above your database will lose its protective effectiveness and you will mislead yourself into thinking that you are protected from cyber-attacks, data breaches, mistakes and GDPR fines.

Yes, it is, depending always on your case and the professional who is setting it up. In fact, a good professional can take medium range tools and make them more secure and effective with the additional measures as opposed to someone who is just using the best database platform available but has not applied any other supportive measures.

Remember, in security getting complacent because you’ve installed a tool is the most dangerous thing you can do for your protection.

I hope this clarifies the situation and gives you a better understanding of database (cloud service) providers.

If you would like my help on:

• Evaluating the database, you are currently using,
• Selecting the right database for your data and
• Getting the additional measures to maximize its effectiveness,

here are the details to get in touch

Apply what you learn immediately. Download “GDPR Basics” free quick start guide.

I am now turning it over to you. If you found this information on GDPR useful please share it with others and give me your feedback.

I cannot wait to hear your comments so leave them below and let’s continue the conversation.