undefined | Better HN

0 pointsorf8y ago0 comments

> ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

So not a database query itself, but the thing that drives the database query. It also extends to things like logs - aka don't keep a log full of SQL queries that are full of peoples personal information. Don't ship that log off to some third party, or make it available to random people.

For web apps it's mostly the storage and retrieval aspects that are important. Don't store too much PII. Don't allow anybody to access it at the DB level. Implement appropriate access restrictions at the web-app level.

0 comments

2 comments · 1 top-level

mirko228y ago· 1 in thread

actually what you quoted might as well apply to query as it is actually processing data... and again the point is the regulation is vague... it can be interpreted in multiple way before we get precedents.

orfOP8y ago

It applies to anything that contains PII, so sure you should ensure your queries are not sent in plaintext over the network and are not logged unnecessarily. There isn't much else that can be done.

It is perhaps a bit too abstract, but that's because it's covering a highly complex topic, but I don't think it's too vague on this: If it contains PII, protect it. Which, of course, you should be doing already.

j / k navigate · click thread line to collapse