The document discusses the importance of data privacy and protection for DBAs, highlighting the challenges they face in identifying and managing sensitive data within their systems. It emphasizes the need for effective tools, such as Toad for Oracle, to automate sensitive data discovery and protection and mentions the evolving role of DBAs in the context of regulatory compliance (e.g., GDPR, CCPA). Additionally, it outlines the responsibilities of CTOs, CIOs, and data controllers in implementing data security strategies and ensuring compliance with privacy regulations.

1. DBAs - Is Your Company’s Personal
and Sensitive Data Safe?Sr. Solutions Product Marketing Manager
Information Management Group, Quest Software
John Pocknell
JD, CISSP, CIPP/US/G/E, CIPT, CIPM, FIP
Sr. Director, Privacy Strategy at BigID
Debra J. Farber

2. 2
PROTECTION PRIVACY GOVERNANCE
Actionable identity data intelligence
What identity data do I have? Where is it? Whose data is it? How is it used? Is it compliant?

3. Can’t Find PI vs PII
& Contextual Data
Can’t Find Data
By Person vs Type
Don’t Operationalize
Privacy Compliance
Lack Scale
& Accuracy
Limited Data
Source Coverage
Why Today’s Discovery & Classification Fail
Legacy Approaches Can’t Meet Today’s Needs

4. Doesn’t know Who’s data is it?
Cannot detect PI (Contextual PII)
Too many False Positives
!
Either Business OR Data Driven
Don’t know How the data is used
What’s Missing in Legacy Approaches
Privacy is a Game Changer

5. Mine Machine Manage
Agentless
Any data type
Cloud
Analysis
Reporting
API
BigID ML Driven Classification Platform
Classify Data, Files, Data Stores By Type, Person, Residency, Access, Similarity & More
30+ Patent Filings
Correlate By Relevance
Classify By Type & Similarity
Catalog Metadata

6. Find all PI for GDPR DSAR & CCPA Data Rights
Document Data Usage for GDPR RoPA & CCPA Inventory
Assess Data & Access Risk On Continuous Basis
Rapid Breach Identification & Response
GDPR Consent & CCPA Opt Out & Sale Restriction
Data Driven Privacy For GDPR, CCPA & Global Privacy
BigID’s Data Intelligence Platform Provides Privacy-centric Data Insight

7. Global privacy regulations
Personal Information Protection and
Electronic Documents Act (PIPEDA)
Protection of Personal
Information Act 2013 (POPI)
General Data Privacy
Law (LGPD) 2018
The Privacy
Protection Act (PPA)
2017
Personal Data
Protection Act
(PDPA) 2012
Personal Information
Protection Act (PIPA) 2011
Personal Information
Security Specification
2018
Act on Protection of
Personal Information
(APPI) 2017
Australia Privacy
Principles 2014
General Data Protection
Regulation (GDPR 2016)
Personal Data
Protection Bill 2018
Federal Data Protection Law 2000
Data Protection in Act (pending)
California Consumer
Privacy Act (CCPA) 2018

8. Privacy engineering = privacy + engineering
Privacy engineering = “the field of research and
practice that designs, implements, adapts, and
evaluates theories, methods, techniques, and
tools to systematically capture and address
privacy issues when developing sociotechnical
systems.” (Sjaak Brinkkemper)
Methods
Techniques
Tools

9. How privacy protection needs impacts DBA functions
Correlate PI prior to classification
Inventory & map data
Data classification & labeling
Data access
Monitor movement of PI
Consent governance & tracking
Breach response

10. NIST’s privacy engineering objectives
Predictability
Manageability Dissociability

11. NIST’s components for privacy engineering
Laws,
Regulations,
FIPPs
Risk
Models
Privacy engineering
&
Security objectives
Risk Management
Framework
Privacy Impact
Assessments
(PIA)

12. Data Intelligence for DBA Privacy Awareness
• Leverage DBA tools visibility into schema, tables and databases with PI
correlation to extend policies and automated enforcement
• Tag Tables to Activate Identity Aware Policies
Consolidate security and privacy governance
• Inform access policies based on data residency, consent, sensitivity and
policy
• Enable the ability to query by data subject/individual and generate
reports to satisfy data subject access requests
Putting Privacy Engineering into Practice
Extending security tools to address privacy requirements

13. Next Steps for Privacy engineering
Methods
Techniques
Tools
• Privacy changes the function of DBAs
• Having the right tools in place, helps DBAs make the
right privacy decisions
• Privacy requirements reinforce the need for security,
but also potentially adds a data stewardship function
• To be better data stewards, DBA needs automated
controls that leverage data intelligence

14. DBAs - Is Your Company’s
Personal and Sensitive Data Safe?Sr Solutions Product Marketing Manager
Information Management
John Pocknell

15. Trends: Prevalence of Data Breaches
https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Numbers indicate the # of individuals involved in the breach

16. Background
• Other US data privacy regulations (HIPAA, PCI, SOX) are already in force
but GDPR may result in tighter regulation.
• Less than half (47%) of US companies have set up an internal GDPR
taskforce1.
– Only 18% of Fortune 500 companies have appointed a Data Protection Officer
(GDPR requirement)
• 70% of employees have access to data they should not 2.
• It is estimated that US and EU will require 28,000 DPOs3.
• DBAs have the right skills and understanding of the data to make a real
difference.
2 https://hbr.org/2017/05/whats-your-data-strategy
1 https://www.paulhastings.com/news/details/?id=5ae5ed69-2334-6428-811c-ff00004cbded
3 https://www.computerweekly.com/news/450283253/GDPR-will-require-28000-DPOs-in-Europe-study-shows

17. Who is responsible?
• CTO/CIO responsible for implementing company strategy including
implementation of data security policies.
• GDPR requires the appointment of a Data Protection Officer to act as
an independent overseer of the corporate data protection strategy
and ensure compliance with GDPR.
• Data Controllers are also required to determine the purpose and
means of processing personal data.
– In many companies, a Data Controller is likely to be a DBA who manages
the databases.
– A DBA will be required to identify personal data in their systems and
implement the necessary protection measures.

18. What’s the problem we need to solve?
DBAs need:
• A simple and effective way to identify “sensitive” data in their
databases.
– Sensitive data is a broader definition than personal data
• To be able to define what constitutes sensitive data
• To report on where sensitive data is
– and be able to have regular checks to identify when something changes.
• To be able to apply the appropriate protection measures
• To be able to automate as much as possible.

19. • Aimed at developers.
• Alerts developers of sensitive
data as they write code in the
Editor or as they create and
alter tables. Highlights the
offending column name.
• If Toad identifies sensitive
data columns based on the
search rules a DBA specified,
then the developer can take
action to protect the data
(permissions allowing) using
Oracle features.
Toad® for Oracle - Sensitive Data Awareness – What is it?

20. • Aimed at DBAs.
• Enables search of potentially sensitive data based on
pre-defined or customizable rules. DBAs define what
sensitive data means to them.
• Run searches on-the-fly or automate and schedule
them as part of DB admin tasks.
• Rules provide search criteria based on common
column-naming conventions (metadata) and data
content formats (data polling). Search results can be
exported into a number of file formats.
• Scans all tables in an Oracle schema and identifies
where sensitive data exists based on column names
or data content.
• Included with DB Health Check feature
• Search and discovery can be automated
Requires the Sensitive Data Protection module.
Toad® for Oracle - Sensitive Data Protection – What is it?

21. Demo

22. The result?
• DBAs will become the “superheroes”4
who help protect their company’s data
and reputation.
• This is great for DBAs at a time where
their role is changing:
– Growth of “autonomous” databases
leading to fewer traditional admin tasks
– Growth of cloud services
– Scaling back data centres
– Increasing need for good database design
– Need to become “data strategists”
4 https://www.itproportal.com/features/gdpr-will-turn-dbas-into-superheroes/

23. What’s Next?
• Identify and report on
sensitive data access in a
DevOps pipeline.
• Leverage Toad® DevOps
Toolkit to programmatically
call sensitive data search
amongst Oracle schema
changes.
• Sensitive Data Protection
on other database
platforms.

24. Resources
• White Paper “8 Questions DBAs Need to
Answer about Data Privacy and Protection”
• Toad World Community blog “PII – It’s Not
Just For Dessert!”
• Trial download and other Toad for Oracle
resources:
https://www.quest.com/products/toad-for-
oracle/

25. Requesting Your
Feedback
• Survey on sensitive data protection.
• Designed to gather feedback on user
experiences, problems and needs.
• Many paid opportunities.
• https://forms.gle/m1pQZ82CTSnwV9pMA
to sign-up.