Skip to content
Category: SQL Server

📜 How to adapt SQL Server to GDPR – GDPR Series (1/5)

What is the GDPR?

The General Data Protection Regulation, or also known by its acronym GDPR, is the Law on the protection of personal information which must be complied with throughout the European territory since May 25, 2018.

Basically, this regulation seeks to protect and enable the privacy rights of individuals, establishing strict restrictions on the treatment and protection of data, which directly appeal to individual rights (such as the right to access their own information or refuse to process your personal data).

The GDPR also seeks to guarantee the security of personal information regardless of where it is being stored, sent or processed. Some of the data that this new regulation wants to protect are Identificacion Number, e-mail, publications on social networks or medical information, among others.

What steps does Microsoft propose to adapt to it?

Microsoft has indicated its commitment to compliance with the GDPR and its support to customers in the process of adapting to it, which will extend throughout the technology environment and thereby the Microsoft SQL Server environment. Therefore, Microsoft recommends that companies begin their adaptation process to the Regulation focusing on four main aspects:


Determine what personal information is being managed and where it resides, identifying which servers or databases contain personal information or which rows or columns can be marked as containing it. SQL Server has several tools to discover the data, such as the sys.columns system table, Full Text indexes, Profiler or xevents.


Supervise how this personal information can be accessed and how it is processed and used, making sure that the permissions granted to the people who access the data are the minimum necessary for the accomplishment of their mission. This point can be reached with SQL Server controlling permissions with SQL Server Authentication, masking data with Dynamic Data Masking or filtering the data that a user can see in a table with Row-Level Security.


Establish security controls to prevent, detect and react to weaknesses and breaches in data protection. This requires different methods for different types of information and scenarios. To protect the data, SQL Server has several encryption mechanisms at a physical and logical level, such as encryption of connections, Transparent Data Encryption, Always Encrypted. We can also control who is accessing to the data and when by using SQL Server Audit.

Monitor and Report

Save audits of all operations related to the personal information handling, manage information requests and notify when a regulation breach occurs. As well as track these processes and procedures to ensure that they are kept up-to-date.

Finally, in SQL Server we can control the changes record or access to a table with System-Versioned temporal tables and also with SQL Server Audit, and report those failures through SQL Alerts and DB Mail or graphical panels in real time with Power BI.

If you still have any questions below, we leave you an explanatory video in Spanish.

GDPR Series:

  1. How to adapt SQL Server to the GDPR
  2. Discovering and classifying personal data with SQL Server
  3. Managing access and use of data with SQL Server
  4. Protecting data at Rest, in Use and in Transit
  5. Monitor and Report unauthorized access to Personal Data