GDPR:静止输入而不是数据查找表 [英] GDPR: encyption at-rest instead of data lookup tables

问题描述

静态加密-以加密格式将数据存储在存储/数据库中.在处理过程中，您每次都需要解密数据，计算出一些内容，然后再加密所有内容(加密由存储管理).

Encryption at-rest - is storing data inside your storage/database in encrypted format. During processing you need to decrypt data every time, calculate something and then encrypt everything back (encryption is managed by storage).

静态加密是否可以解决被遗忘的权利"问题?当您无法进行静态加密时，应选择数据查找表和伪匿名化?

Does encryption at-rest resolve "right to be forgotten" issue? When you can't go with encryption at-rest and should choose data lookup tables and pseudo-anonymization?

与数据查找表不同，静态加密更容易实现.不过，它可能会影响您的效果，甚至可能影响结算.

Unlike data lookup tables, encryption at-rest is much easier to implement. It can affect your performance though, and maybe billing.

由于GDPR的原因，您不应该停止处理或删除匿名数据.另一方面，ETL作业必须具有解密数据的权限.意味着每个有权执行工作的人(即开发人员，数据科学家或质量检查人员)仍将能够使用加密密钥对数据进行解密(取消匿名处理).

AFAIK due to GDPR, you shouldn't stop processing or remove anonymized data. In other hand, ETL jobs must have permissions to decrypt data. Means everyone who has privileges to run a job (i.e. developer, data scientist or QA) will still be able to decrypt (de-anonymize) the data with encryption key.

推荐答案

如果在存储层进行加密，那么它就无助于被遗忘的权利.如果您想使用加密来解决被遗忘的权利，那么我建议您为每个数据主体使用唯一的加密密钥.如果需要忘记数据主体，则可以删除加密密钥的副本，并且已经有效地加密粉碎"了受该密钥保护的所有数据.为了使此方法最佳运行，您需要仔细设计体系结构(例如，能否将密钥与数据分开存放，以便不对其进行备份，并找到另一种方法来确保DR场景中当前密钥的可用性等).

If encryption is occurring at the storage layer then it does not help with the right to be forgotten. If you want to use encryption to solve the right to be forgotten challenge, then I would suggest using a unique encryption key per data subject. If a data subject needs to be forgotten, you can then delete your copy of the encryption key and you have effectively "crypto-shredded" all the data that is protected by that key. For this to work best you would need to carefully design your architecture (e.g. can you keep the key separate to the data, so that it isn't backed-up and find another way to ensure availability of current keys in a DR scenario etc).

数据查找表等效于令牌化服务，在此您将数据主体的名称或其他详细信息替换为令牌.通过删除(或更改)数据查找表中的令牌，您已经失去了将令牌解析回实际数据主体的功能.由于您可能仍然能够通过有关数据主体的其他信息间接识别数据主体，因此对已经达到的被遗忘"程度的保证程度较低.看看 https://en.wikipedia.org/wiki/K-anonymity深入了解这个概念.

A data lookup table is the equivalent of a tokenization service, where you're replacing a data subject's name or other details with a token. By deleting (or altering) the token in the data lookup table you have removed the ability to resolve the token back to the actual data subject. This would provide a lesser degree of assurance as to the level of "forgotten-ness" that had been achieved as you might still be able to identify a data subject indirectly through other information about them. Have a look at https://en.wikipedia.org/wiki/K-anonymity to understand this concept in-depth.

这篇关于GDPR:静止输入而不是数据查找表的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！