What is GDPR?
The Global Data Protection Regulation (GDPR) is a regulation created by the European Union, but with global reach. Before being a regulation, it is above all a solid set of best practices that every company collecting and handling data from individuals (natural or legal persons) should adopt if they want to protect their institutional image and, of course, mitigate financial losses.
GDPR is neither a regulation nor a passing trend. It started being drafted in 2010 and began to take shape around 2012. Approved in 2016, with enforcement starting June 25, 2018, companies had nearly two years to comply.
Initially created to protect data of citizens from European Union member countries, GDPR is rapidly becoming a global standard for good data governance and mandatory compliance.
How does this affect my company and/or my online product/site?
Today? Honestly? Very little if you don’t capture or handle data from European citizens. Although many vendors are eager to sell “killer” software and services that claim to solve all GDPR issues, the reality is different.
Still, GDPR is one of the most comprehensive and well-designed data governance frameworks I’ve seen in over 30 years in IT. It’s a complete, free guide for data governance.
If your company wants to look good in the eyes of customers and regulators, trust me — you will need to comply. Expect to see badges like “100% GDPR Compliant” or “GDPR Approved” soon.
What are the main points of GDPR?
Many “GDPR experts” with “20+ years of experience” predict corporate disasters if you don’t buy their solutions. It’s not like that. The main points are:
- Every citizen has the right to know when and which of their data are collected, how they are used, and, above all, that they will be protected and not misused by anyone.
- Explicit consent is required for data collection, with mechanisms for citizens to request data deletion.
- Data portability between services is guaranteed.
- In case of data breaches, full transparency and notification to authorities and the public within 72 hours is mandatory.
- Data protection must be embedded end-to-end in every service and application from the start of development, ensuring hardware, software, services, data, and data disposal are secure.
- Creation of the DPO (Data Protection Officer) role responsible for coordinating data handling and security.
Do I have to replace my MySQL database? Is it GDPR compliant?
As wise Master Yoda said: “Patience you must have, my young Padawan.” The full GDPR text is available in Portuguese on Euro Lex. I’ve read many legal and technical texts, attended Oracle OpenWorld Brazil sessions on GDPR, and talked to many experts.
My answer about MySQL GDPR compliance will surprise you: It depends!
GDPR is not about your RDBMS—whether MySQL, DB2, Oracle, PostgreSQL, or SQL Server. It is not about specific features or licenses. Don’t let license sellers fool you.
GDPR is about corporate best practices and respect for your customers and their data (data governance).
So, it’s no use having legal cookie banners on your site, running Oracle Database with Vault and Firewall, or NASA-grade edge firewalls if your data can be easily traded on shady websites.
GDPR is purely the application of best practices. How those practices are implemented technically and the countermeasures adopted have little to do with which RDBMS you use, free or paid.
CONCLUSION: MySQL, whether Community (free) or Enterprise (paid subscription), can be fully GDPR compliant. It’s even the official database of Asgard.
Some RDBMS offer native or add-on tools that ease GDPR implementation, but all can reach 100% compliance.
Where do I start?
First, don’t panic. Second, panic a little. And finally, take it one step at a time.
For MySQL, here are some tips:
- Edge Firewall: Make sure all app and DB servers are protected from external and internal threats.
- Host Firewall: Don’t assume app servers are secure—implement firewalls on each server.
- Minimize User Access: Don’t allow indiscriminate access; less is more.
- Avoid Excess Privileges: Stop using root access unnecessarily.
- Strong Passwords: No more “Melissa2008!” Require complex passwords and use password managers.
- Keys and MFA: Implement key-based access plus multi-factor authentication ASAP.
- Encrypted Tablespaces: MySQL 5.6+ supports disk encryption, protecting data files from theft with minimal performance impact.
- Encrypted Backups: Use tools like xtrabackup for encrypted backups. Logical dumps may be OK for small DBs but should be encrypted.
- Avoid Obvious Object Names: Don’t name tables/columns like “SensitiveCustomerData” or “PlaintextPasswords.” Use proper logical and physical data modeling tools.
- Never store full credit card or banking info.
- Don’t process data without prior customer authorization.
- Don’t sell customer data. Many free software companies do this — it’s a big industry.
These are some of the steps towards happy GDPR compliance. But are you only worried about GDPR? Have you heard of Brazil’s Marco Civil da Internet (Law 12.965/14), HIPAA, PCI, Sarbanes-Oxley?
GDPR will influence how data is collected, stored, processed, and discarded in the medium and long term. Other regulations may have more immediate impact.
Use MySQL without hesitation in the GDPR era!
Visit our Blog
Learn more about databases
Learn about monitoring with advanced tools
Have questions about our services? Visit our FAQ
Want to see how we’ve helped other companies? Check out what our clients say in these testimonials!
Discover the History of HTI Tecnologia
