Encryption can presumably address personal data access minimization.
BUT CAN IT?
Encryption has received a center stage, as it has been named a proper data privacy practice, alongside with pseudonymization.
Encryption is the name of a family of solutions that commonly replace a given value with an encrypted value, hence, presumably can be able to address personal data access minimization by Unix admins, DBAs, application users and production support – BUT CAN IT?
In this blog, I will provide a simple method to evaluate the pros and cons of the various encryption approaches available in the market today. For that, we will be positioning encryption/tokenization approaches in a multi-dimensional map against practical use case scenarios.
- Unix admins with root access to the database data-files and archives (hence, if abused or stolen, can see all data), they are regarded as trusted
- DBA admins and developers with production database access (if abused or stolen can see all data)
- Application admins, production support with super user privileges in the applications connecting to the databases
- End users, accessing personal data through application screens, queries and reports
Check with your respective encryption vendor their location in the map:
To summarize, before choosing an encrypted or pseudonymization (dynamic masking) approach, verify that you have clear view of the GDPR coverage, implication and business effect of your choice.