Microsoft SQL Server
Reduce data risk and improve protection at the database level with industry-leading security and safeguards built into Microsoft SQL Server. Control how data is used and accessed to help you achieve compliance with the GDPR.
Enable data privacy for GDPR compliance
Get a powerful set of tools to help you build a General Data Protection Regulation (GDPR)-compliant environment with Microsoft SQL Server. Because compliance is a shared responsibility, Microsoft is investing in additional features and functionality to help organizations drive toward GDPR readiness.
Whether you’re a compliance professional officer, a decision-maker considering SQL Server, or an IT administrator seeking help with a GDPR-compliant implementation, find out how Microsoft SQL Server can assist you in complying with the GDPR. Learn about discovering, managing, and protecting your data in the cloud, and compiling the necessary reports and documentation to help meet GDPR requirements.
Note that this information applies to the entire range of Microsoft SQL-based technologies, including Microsoft SQL Server (whether on-premises or hosted in a public cloud platform), Microsoft Analytics Platform System, Microsoft Azure SQL Database, and Microsoft Azure SQL Data Warehouse.
Your path to GDPR compliance begins with four key steps: Discover, Manage, Protect, and Report. Microsoft SQL Server provides tools and solutions for handling each step. Learn more about how Microsoft products and services can help you meet GDPR compliance requirements.Get started with the GDPR
The first step towards GDPR compliance is to assess whether the GDPR applies to your organization, and, if so, what data under your control is subject to the GDPR. This analysis includes understanding what data you have and where it resides. Adopting a classification scheme that applies throughout your organization helps you respond to data subject requests because it enables you to identify applicable data types more readily and process personal data requests.
To help you discover and classify personal data, Microsoft SQL Server provides the following:
- Helping you search and identify personal data using queries and metadata queries.
- Using full-text queries against character-based data in SQL Server tables.
- Helping facilitate data classification using the Extended Properties feature to create data classification labels and apply them to sensitive personal data.
To achieve compliance with the General Data Protection Regulation (GDPR), organizations need to manage access to and control how data is used and accessed. Microsoft SQL Server provides multiple means of controlling access to the database and the data.
The GDPR provides data subjects—individuals to whom data relates—with more control over how their personal data is captured and used. Microsoft SQL Server enables data governance practices and processes using SQL Server Authentication and Authorization mechanisms, Active Directory (for SQL Server) and Azure Active Directory Authentication and Role-based Access Control (for Azure SQL Database and Azure SQL Data Warehouse).
While Microsoft SQL Server provides a number of tools to help, implementing a data governance program—including ways to obtain consent and manage data subject rights requests—will require active application development from SQL administrators.
To help you manage personal data, Microsoft SQL Server provides the following:
- Use built-in authentication mechanisms to ensure that only authorized users with valid credentials can access the database server. SQL Server supports SQL authentication, and provides integrated security with Windows authentication. Azure SQL Database and SQL Data Warehouse customers should use Azure Active Directory authentication, which also supports Multi-Factor Authentication.
- Apply role-based access control to help manage authorization policies in the database, and to implement the separation of duties principle.
- Prevent access to rows in a table (such as those that may contain sensitive information) based on characteristics of the user trying to access the data by using Row-Level Security.
- Keep personal data complete and ensure that requests to edit, delete, or discontinue the processing of data are propagated throughout the system by leveraging Master Data Services with Microsoft SQL Server.
- Verify changes to data that occur in a SQL Server table by using SQL Server Audit in Microsoft SQL Server and Auditing for Azure SQL Database in Azure SQL Database.
- Identify and delete target data using SQL queries and statements.
- Identify target personal data to be exported using full-text, regular expression, or general queries against character-based data in SQL Server tables.
The GDPR requires that organizations incorporate data privacy and protection principles into their products and services. Microsoft SQL Server provides several features to enable protection of sensitive data by default.
- Secure personal data through encryption at the physical storage layer using encryption-at-rest through the Transparent Data Encryption feature.
- Prevent unauthorized, high-privileged users from accessing data in transit, at rest, and while in use through the Always Encrypted feature.
- Protect personal data using Row-Level Security and Dynamic Data Masking features, which limit sensitive data exposure by masking the data to non-privileged users or applications.
- Help ensure that only authorized users with valid credentials can access the database server by using authentication. In the case of SQL Server, customers should rely on integrated Windows authentication. In the case of SQL Database or SQL Data Warehouse, customers should use Azure Active Directory Multi-Factor Authentication.
- Maximize the availability of a group of user databases for an enterprise with Always On Availability Groups.
- Get help detecting anomalous database activities indicating potential security threats to the database with SQL Database Threat Detection in Azure SQL Database and Azure SQL Data Warehouse.
- Understand ongoing database activities, and analyze and investigate historical activity to identify potential threats or suspected abuse and security violations by using SQL Server Audit in SQL Server and Auditing for Azure SQL Database in Azure SQL Database and Azure SQL Data Warehouse.
- Scan databases for insecure configurations, exposed surface area, and additional potential security issues using the Vulnerability Assessment service for Azure SQL Database or SQL Server.
Microsoft conducts ongoing monitoring and testing of Azure security measures that protect Azure SQL Database. These include ongoing threat modeling, code review and security testing; penetration testing exercises, and centralized security logging and monitoring.
The General Data Protection Regulation (GDPR) sets new standards in transparency, accountability, and record-keeping. Organizations that process personal data will need to keep detailed records to be compliant.
To help you meet GDPR data reporting requirements, Microsoft SQL Server provides the following tools:
- Maintain audit trails using SQL Server Audit for SQL Server and Azure SQL Database Auditing for Azure SQL Database and Azure SQL Data Warehouse. These tools are only available in certain products and are not used interchangeably.
- To achieve redundancy and implement an effective disaster recovery strategy, customers can use built-in disaster recovery features such as active geo-replication or geo-restore to replicate data across the data centers of your choice. This type of disaster recovery plan can also be implemented for SQL Server databases running in multiple Azure virtual machines.
- Use Vulnerability Assessment reports as a security assessment tool as part of a Data Protection Impact Assessment (DPIA).
- In Azure SQL Database, use the Azure Data Catalog to provide insights into the processing of data to help inform the creation of a DPIA.
- In Azure SQL Database, use Azure SQL database auditing and in SQL Server use SQL Server Audit to gain useful input for performing a DPIA.
If you are looking for information that may help you perform a DPIA addressing the use of Azure, Microsoft provides detailed information regarding its processing of customer data and the security measures used to protect that data. This information is accessible via the Microsoft Trust Center. Learn more about Microsoft and customer data.
- What data Microsoft collects and processes from customer systems and end users
- How and where Microsoft sends customers' data, including geo locations
- Sub-processors who have access to customers' data
- Details on Azure security measures administered by Microsoft
- Details regarding Microsoft's privacy reviews process, conducted for all products, including all Azure services
Get on track to address data privacy compliance
Find out how Microsoft SQL-based technologies can help you improve data security to comply with the GDPR in this Guide to enhancing privacy and addressing GDPR requirements with the SQL Server platform white paper.Learn about SQL Server platform and the GDPR