Implementation Of GDPR With SQL Server And Azure SQL Database

Ojash Shrestha
4 min readJun 8, 2021

GDPR was launched to better the management and protection of the personal data of an average user. In an era when data breach news is heard every other day, GDPR has set the guideline which organizations in the EU and EEA are obliged to follow such that the long-time gap on the advocacy of the proper legislation to protect the data of the users has come into fruition. However, it isn’t easy to process the data and provide the level of security that GDPR guideline suggests for the individual organizations. Each organization needs to document the locations and identify the storage of the personal data and apply the GDPR. In cases for the early development stage of the systems, it might be easier to identify the business process and apply GDPR to it. However, it’s a complex task and numerous organizations look for a third party solution to manage and control the security protocols the GDPR suggests. Catering to this need, built-in mechanisms and tools are provided in Azure SQL Database which supports the system to be GDPR compliant. In this article, we dive deeper into various GDPR guideliness and prospective solutions that Azure provides.

Topics covered in this Article,

  • Brief about GDPR and its constituent articles
  • SQL Server / Azure Database GDPR Ready Features
  • SSMS: Data Discovery and Classification
  • Challenges


General Data Protection Regulation (GPPR) is a regulation on privacy and data protection in the European Union which addresses personal data’s transfer across and outside European Union (EU) and European Economic Area (EEA). In May 2018, all EU started to implement a new General Data Protecting regulation to protect the right to private life as a universal human right, the right to have one’s personal data safeguarded as a distinct, standalone universal human right. It is a positive step for users which safeguard the data of the users but could be challenging for the vendors to design, develop and maintain the secure system.

There have been hundreds and thousands of data breaches over the years. Some of the data breaches and hacks has wiped out billions of data in some of the companies.

The following visualization from Data Breaches and Hacks shows the size of the impacts recorded by the data breaches annually.

Check out the Have i been pwned website, to see if your email id or phone number has been risked due to the data breaches at various companies you have been a user at.

GDPR Article 25 — Data Protection by Design and Default

This article of the GDPR states that the controller is supposed to take the necessary organizational and technical measures to ensure that by default the data of users is protected and are not made accessible without the consent of the individual. We can control about the access to the personal data of users and way the data is processed, stored and accessed in the future.

  • Use Authentication in SQL Server (Windows and Mixed Mode )
  • Azure Active Directory Authentication
  • Object Level Permissions
  • Role-Based Security
  • Firewall (Azure SQL Database)
  • Dynamic Data Masking

C# Corner is organizing a week-long virtual annual event — Azure Summit.

Check out the official website of the summit to register as an attendee or to be a speaker and share your knowledge with the community.

GDPR Article 30 — Records of processing activities

This article 30 states that each controller and the representative of the controller is supposed to maintain the records of all the processes and activities as their responsibility such as the purposes of the processes, any disclosure of personal data and so on.

It notes about the audit of all the records, and the personal data that is processed in the application.

  • Auditing (Azure SQL Database)
  • SQL Server Audit

GDPR Article 32 — Security of processing

Article 32 of GDPR directs the importance of all data security and processing with pseudonymization and encryption of the data of the users, regular testing, evaluation and assessing to measure the effectiveness to ensure the security of the data.

Data should be encrypted and pseudonymized. A few steps that are to be taken are as follows,

  • Row Level Security (RLS)
  • Trasport Layer Security (TLS)
  • Transparent Data Encryption (TDE)
  • Always Encrypted
  • SQL Server AlwaysOn
  • Point-in-Time Restore (Azure SQL Database)
  • Long-Term Retention (Azure SQL Database)
  • Active Geo-Replication(Azure SQL Database):
  • You can read more about Active Geo-Replication from our last article, Azure SQL Database: Business Continuity and Disaster Recovery
  • Anonymization or Pseudonymization: Pseudonymization refers the process of replacing the information on an individual in the data such that it can be used as a pseudonym to identify the person but at the same time won’t allow the individual to be identified directly. Anonymized on the other hand can be defined as the data when the individual cannot be identified.

To Read the Full Article, Check it out at: