Encryption required for Website storing personal details - GDPR

19-11-2019 1:09pm #1

Hi wondering what is the industry standard Encryption required for a Website database that is storing personal user details - in order to comply with GDPR.

The website is PHP / MySQL.

We have got a research website developed using free lancer, very happy with the end result and it is a not for profit research site, but it will be storing personal details so wondering what the requirements are for this?

Baz_ · 20-11-2019 7:15am

Not to be too smart of an arse, but have you tried a search engine?

daymobrew · 20-11-2019 10:01am

AFAIK GDPR has nothing to do with encryption but to ensure you have permission to store data. Obviously you should do your best to ensure that access to the data is limited to authorised persons e.g. good passwords and secure code.

listermint · 20-11-2019 10:05am

Data should be obfuscated in he dB. It should only be stored if it has a current applicable need between the business and the customer. Once that need has expired the data should be wiped in full.

Access to the data should be limited and should be logged when it has been accessed or modified.

There should be regular automated processes to remove any expired data. So your retention policies need to be robust.

BailMeOut · 20-11-2019 10:11am

GDPR has rules relating to data breach or if data is stolen so you need to protect the user data properly. Encrypting the at rest mysql data is a good start but all the other normal best practises on security should be adhered to. Is the server behind a firewall, are proper rules in place, are you fully security patched all the time, do you use MFA and good passwords,SSL, etc,. ..

Is this website publiclly accessible?

CSSE09 · 20-11-2019 10:12am

If you haven't already done it make sure the site is using ssl

20-11-2019 11:34am

GDPR isn't prescriptive (it can't be). It states:

Article 5.1.f wrote:

Personal data shall be:
...
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

"Appropriate security" is going to be highly dependent on your specific situation.

biko · 22-11-2019 12:31pm

https://gdpr-info.eu/issues/encryption/

Jim2007 · 22-11-2019 1:50pm

19233974 wrote: »

Hi wondering what is the industry standard Encryption required for a Website database that is storing personal user details - in order to comply with GDPR.

The website is PHP / MySQL.

We have got a research website developed using free lancer, very happy with the end result and it is a not for profit research site, but it will be storing personal details so wondering what the requirements are for this?

Well if you are hosting the website on a hosting service not under your control it really won't matter what encryption you use, it will be in breach of the rules in any case.

DeconSheridan · 22-11-2019 8:52pm

19233974 wrote: »

Hi wondering what is the industry standard Encryption required for a Website database that is storing personal user details - in order to comply with GDPR.

The website is PHP / MySQL.

We have got a research website developed using free lancer, very happy with the end result and it is a not for profit research site, but it will be storing personal details so wondering what the requirements are for this?

At the high end your Business will be ISO/IEC 27001 compliant.
At the low end your going to implement your own version of Information security by the choices you make.

Encrypting the DB storage should really be the least of your worries and id be more focused on the front end attack vectors such as logins and admin logins, privileges users both customers and workers have and db service accounts asking the database server for data.

A common mistake many make is having the Web Application DB credentials to your Database a Super user :eek: on the DB when really they might only require to RW and update credentials but maybe more. This can lead to potential disasters in the event of a breach and loss of data even whole databases.

You do really need to lock down the Web Server and Database from the perspective of Sessions and Logins and who has access and what accounts are doing what including DB Service accounts.

As Always backups (Regular) are king and can and do save the day! Id recommend VEEM, i'm not affiliated...

Encryption required for Website storing personal details - GDPR

Comments