I want to discuss my idea about to use CosmosDb single collection (which costs begin from ~$25/month) as GDPR blockchain logging to do following goals:
- Tracking access to data – who accessed what and when. If access to data goes through a unified interface (UI and/or API), you can track all access to data and thus manifest that only the authorized personnel have read the data. That means, though, that search results in your CRM-like system should not contain too much information, otherwise tracking would be more complicated, as the back office user sees data about multiple data subjects on one page
- Tracking data modifications – one of the principles of GDPR is “integrity” – you have to keep the data correct, so any modification should be logged. That way, you can reconstruct an old state or prove the modifications happened for a reason. This, again, relies on having a centralized interface.
- Logging GDPR-specific activities – e.g. when the data subject invokes their rights. Each request can be securely logged so that you can prove to authorities the exact sequence of events relating to particular data subject
- Logging consent and the accompanying circumstances – date, time, IP address, etc. Then you can also log consent withdrawal, and the history of consent of the data subject will be visible in one place and you will be able to prove to regulators when you had and when you didn’t have consent for processing.
Just we need to integrate this blockchain logging to our n-Tiered .NET Core solution, probably in our generic repository or at database-level for example using triggers.
By doing this logging we can give reports to our customers about data usage. But this solution does not secure our customers’ data from hackers.
To protect personal data from hackers we must store our production database in least accessible server. Only the application and the senior developer(s) should access the production database, and of course all of them should use secure channels to access the production db and app such as VPN. All computers, phones and tablets must use antivirus programs. SSL must use forward secrecy, TLS 1.3 must prevent 0-RTT property to prevent replay attacks.
Consider to DDOS attack protection for your company and servers on the cloud for possible attacks.
Backups must be stored in secure storages.
Thanks to GDPR that it increases the quality of developer and development processes.
Happy coding 🙂