In January 2022, databases became the focus of privacy legislation

The new year starts with a hearing of the EU Court of Justice on “whether keeping a parallel database constitutes processing of data for a new purpose.” per Herke Kranenborg, the member of Legal Service, European Commission. The question justices will decide “is under what circumstances keeping a copy of a database in parallel with the original database can be seen as serving the same purpose.”

So, in the blog we shortly cover technical bases as they happen to be understood within current model of database use to clarify: there are several perceived needs and several real needs to copy databases as is without removing or changing data.

1. Replication (clustering, replication, mirroring, sharding, etc.) technologies - done for the purposes of data availability and data read and write performance increase, to speed up writing data on disk so that the user does not wait for a frozen website page or mobile screen. The data should be exactly the same in these environments in these applications and is considered to be "the same" data set, no matter how many copies are done and should be under the same security and privacy protection policies (and these are DIFFERENT THINGS).

2. Other copies - none of them are customer facing and are not considered production environments. These are for the purposes of:

   • demonstrating product to a client (often called demo environment).

   • testing functional (whether the application does the right thing in accordance with what I imagined) and non-functional (is it convenient to use? can I break into it as a hacker? can I use it with a lot of data and still have great response times? can auditor give me a penalty for some non-compliance purpose?) these are all possible test cases in different QAs. Organizations may have a FARM of QA environments.

   • integration environments, where developers test merged code with regression.

   • development environments - where developers develop! these should have no production data whatsoever, ever.

Under no circumstance, test environments should be protected less than production environments. There is a whole "hacker" industry that "grazes" on those "pastures".

Break-fix is a bit trickier. This is supposedly an environment where production support can do a quick fix, without waiting for the whole development cycle - however, keeping production data without any masking/deidentification/removal is still risky. This is usually where the person would like or not to accept risks - and this is I guess will be where GDPR lawmakers will need to think quite a bit...

So, let's wait for the decision. #data #development And if interested - there is always a white paper for you to learn it all in detail, just ask us at mask-me.net.