GDPR: How to store personal data?

Maybe you have noticed it. Privacy is an issue. A bit strange since there are only 22 days left until the new EU General Data Protection Regulation (GDPR) will become fully enforceable throughout the European Union.

So before end of May 2018 all organizations that process data of EU citizens must comply with this General Data Protection Regulation. Determining how you should store private data is not straightforward. The GDPR has some guiding principles and you can find several documents with a title like ‘Privacy by Design’. But when adjusting your information systems and processes to be compliant with the GDPR you will definitely hit simple questions that are not simple and straightforward to answer.  One of such questions is:

How to store personal data?

The pain with the GDPR is that there is no straightforward answer. You will not find a clear and straightforward answer in the GDPR document itself. The GDPR answer on how to store personal data is by using  “appropriate technical and organisational safeguards”.  So you are screwed. IT consultants, auditors and lawyers know this and will try to convince you that the only way to answer this question is to do extensive (and expensive) risks assessments. Solid technical knowledge on how data is really stored within systems, databases, clouds, is scarce. So you will be forced to invest a lot of time doing business and organizational risks assessments and spend less time on evaluating important technical risks that come with open or closed IT technologies.

The simplest and best answer to the question is: Do not collect and store personal data. Make use of third party services for all kind of sub processes that are not the core of your business. In that case you transfer some needed customer details, but your service provider is responsible for (temporary) storage of this data. But be careful. This will not remove all your responsibilities!

doubtful answer for the storage question is: Make use of Cloud Storage services. Almost all Cloud Service Providers will advertise that they are fully GDPR compliant. But beware: Cloud Service Providers will have legal documents that are even larger and more complex than the GDPR document itself. The short summary is unfortunately always that you are still responsible for what you do and how. And also the GDPR will not help you, since you can not transfer your responsibility to a third party.

The easiest way to solve this problem is to do some architecture design. So create architecture building blocks that will form the basis of your solution. Next step is to find solution building blocks that will implement your architecture demands.



The good new is that on the technical solution level you will discover that you almost always need solution building blocks that will meet functionality like:

  • Identity and access management
  • (Secure)Data Storage
  • Logging and auditing
  • Encryption

You should use separate solution building blocks and make sure that when one will fail the personal data storage is still safe. So use principles like “Defense in depth” and compartmentalise among other crucial security principles.

The perfect simple secure “Data Storage” as simple technical answer for storing personal information does not exist. But smart is to standardize your IT landscape where possible by making use of reusable Solution Building Blocks (SBB’s). This prevents you from reinventing the wheel for every new GDPR challenge.

Encrypting data at rest (so storing data)  provides an effective protection against unauthorized or unlawful processing. It is especially effective to protect data against unauthorized access if the device storing the encrypted data is lost or stolen. To give you also some tips for using (secure) solution building blocks for storing personal data, think of using:

  • Make use of database encryption (All OSS databases support this perfectly, e.g. PostgreSQL, MariaDB , MongoDB)
  • Make use of file system encryption or storage device encryption
  • Make use of a secure Vault for the uttermost important secret information (Solid OSS implementations exist, like Hashicorp Vault )
  • Make use a fancy new blockchain technology enabled storage protocol. But mind: You MUST known what you are doing, since (secure)storage of data on a blockchain does not make it private by and compliant for GDPR usage by default.

This blog post will be added (after rewrite) as an extension on the ‘Open Reference Architecture for Security and Privacy‘. We are working on an renewed version. Please join us!