GDPR in Business (Softa) – Sensitive Data and How to Implement into a Database

If you’ve made it this far, you’re now reading the third article in my GDPR series. Congratulations! Upon reading this, it means that there are only 100-days left until GDPR goes live. In this article, we’re going to look at compliancy with IT Softa Business and how it relates to GDPR moving forward.

Compliant in IT Softa Business?

When I say Softa, I mean “relax” in Swedish. This article was curated specifically for the developers, architects, and full-stack coders, encouraging you all to relax, too. You are not alone in your thoughts, and I wanted you to know that. Softa Business is an acronym of Software Development and Integration work.

Softa delivers end-users with a means to do their work. In a way, it is like creating a tool on how to deliver a hole in the wall. Sometimes the tool is a service where someone completes the job on your behalf; other times, it’s a hammer you use to hit the wall; and other times, it’s just plain explosive. With Softa Business, it can be either a project you start from scratch, or one of the several tools integrate to interact with. And other times, it’s just a way to deliver data, providing a visual user interface for the resulting view.

In all cases, the same prompt remains: it must be designed to deliver what to whom.

GDPR Map

Many tools and software are just too old and outdated today. Their compatibility is lacking as they date back 30-years, unable to work with new systems today. So I ask the business owners reading this to own up to their lack of compliancy. What is your next solution? Take some time; it may cost you more now, but it will be a good long-term investment.

Databases

It might be that you have had your first contact with Microsoft SQL already. I know technical people hate me when I say but in my opinion: excel spreadsheet is a database and it works like SQL does. (Yes, I know, they don’t do so; but it is nice to make things easy)

If you have a data in your database in one field and you start feeling unhappy about it being clear text and visible, you might end up using some ‘salt’ and crypt the data. In excel you could do the same, but it would no longer serve the user who tries to read the data.

When you have data crypted, the next question is: how will this crypted version of data will be distributed?

So there are numerous ways to crypt the data in a database. Excellent, are we now compliant? Sorry, but no.

The next question is: why do you even collect this information in a first place?

Is there a real need for a video rental store to know your social security number? Could the UID Key (unified identifier) be just a running number from 100? I know many cases where database keepers collect information they should not.

So next time you are designing a database and you make a decision on what to put there, take a while to consider the data you need. Remember that whoever uses this database in the future is a “registry keeper” who has liabilities to report to the users what was collected and why.

Keeping these two factors in mind, I might say that Softa Vendor is more compliant and probably better than 80% of the remaining options.

Sensitive data

You may have heard that in many countries there are programs where governmental players want to collect medical data in some big structured database. In Finland, this is being called Kanta-project. Direct translation could be ‘database.’ So I refer to my previous chapter. Then, what if it is mandatory that you collect sensitive data? What even if sensitive data? In this Kanta project, it is medical data which I always consider to be sensitive data. In this sense it is mandatory to have a social security number and my personal information. I get that. What I sincerely hope is, that the designers of that database knew what they are doing, because of the nature of this data as it is, makes it also tempting for hackers to address and see how well it is protected. I see big threats of how next generations of data architects are going to use this information.

So when you have sensitive data in a database, you should first consider how to track the usage of this data. You should have a database engine that supports making a mark when this information is accessed. For example, I am interested in who is viewing from Kanta my lactose intolerance and why do they need this information? First step of course is to mark in a database which fields are sensitive. In medical databases, disease is a sensitive topic, but it could be your trade union membership as well (in a picture right upper corner). In many medical systems this was called “paw print,” referring to the paper where you actually leave your fingerprint. You can add a tag or an entry to the database for people who access the information. For example, a police officer cannot just go in and see if their neighbour has lost their licenses for fun. They need a WHY for doing so.

In some systems, this would be called as audit log. I would not recommend SQL here without a question. In many file systems, this has existed for years, but is rarely used. And let me remind you that in the old, good times, file systems in UX field were called databases. Getting back to the sensitive data, also remember the fact that I wrote in my last article – the user also has a right to be forgotten.

The Political Question

Does my GDPR rights of Sensitive Data and right to be forgotten apply in this Kanta case? What would the EU commission say if I tested my rights against this governmental player? I assume I would lose the case? Interested in hearing your thoughts below.

Closing Words

There are many alternative approaches to the subject of software business, development and integration. How do they deliver the information from their systems to someone else, external advertising companies for example? As you can see, the list of possible breach of compliance is endless.

Do you have a personal experience as a software vendor where you did not think of GDPR? Later you found out that you should have done so? Was it a matter of technical solution or structure of data?

Next article will be published Tuesday 27th of February – That will be the last of this series. Keep reading! Please also remember to share your interested thoughts.

PS. Reference information you might be interested in: https://thehackernews.com/2017/07/sweden-data-breach.html
and see the paragraph “here is what happened.” Could this happen to you?