We know that not all the data in our company is important. We have databases that contain orders or inventory or schedules, often much of which isn’t easily or directly related to an individual. At least, it’s not if you have a normalized database. If you use SQL Server to emulate Excel spreadsheets, it’s possible that most of the rows of information in your system contain sensitive data.
In some systems, there is definitely some data that is sensitive and needs more care than other data. We know this, and with legislation like the GDPR, we must protect this data. We also need to ensure we know where this data is, and having a good data catalog is important. This is something that few of us have, though I expect this to be a more regular part of our job as data professionals. SQL Server is building data classification into the product, which I am happy to see.
When data is sensitive, we need to treat it carefully, even if we don’t like the content of the data. Recently there was a data breach from B&Q, a home improvement retailer in the UK, where 70,000 names were lost. These weren’t customers, but rather people that had been caught stealing from the stores. Perhaps this was an honest mistake, on a data store with poor security. Perhaps no one thought this data needed security because these were criminals, or suspected criminals. Even if these were individuals that might be prosecuted by the company, their data still deserves the same protection as any other person’s data.
I don’t know what the fallout will be from this breach, and certainly most people would have little sympathy for criminals, but who knows just how accurate the data might be. I certainly think this is a situation where there is a high likelihood of legal action against the company if the proper GDPR notifications were not followed. Wouldn’t that insult to injury? People caught or suspected of theft suing you because you leaked their personal information. I could certainly see management getting extra upset and terminating someone that forgot to secure these systems.