GDPR Compliance for Snowflake – All You Need to Know

Today organizations collect and analyze vast volumes of data to find business insights and drive higher productivity and revenues. With 4,500+ active customers, Snowflake has become one of the leading cloud data platforms in the world. When using Snowflake, organizations need to ensure that sensitive data in Snowflake is protected from unauthorized access.

What is Sensitive Data under the GDPR?

Sensitive data is a specific set of personal data that requires additional protection compared to other types of personal data. This is because the breach of sensitive personal data can have severe detrimental effects on data subjects (customers, users, etc.). For example, patient medical records are considered sensitive data under the GDPR. If these medical records are compromised in a data breach, it could seriously affect the data subjects’ health and well-being.

Learn more about What is Sensitive Data & How to Determine it here.

Under the General Data Protection Regulation (GDPR), data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, genetic data, biometric data, data concerning health are treated as sensitive personal data. The collection and processing of sensitive personal data are allowed only on limited legal grounds. The GDPR imposes several legal requirements on organizations for the protection of personal data too.

Addressing these data obligations with traditional, manual, and static methods is challenging when large volumes are present in data warehouses. To ensure all data obligations associated with sensitive data are met, organizations should consider autonomous techniques for sensitive data intelligence, governance, security, and privacy in their data warehouses such as Snowflake.

Sensitive Data Intelligence - Discover & Classify Sensitive Data in Snowflake at Petabyte Scale

With Securiti, organizations can discover sensitive data to find hundreds of sensitive data elements within Snowflake. Moreover, admins can target specific sensitive data elements such as name, email, phone number, social security number, national ID numbers, and hundreds more. Organizations can even add custom data elements that can discover sensitive data specific to a particular customer or business environment.

Learn more about Sensitive Data Discovery Scanning for the Snowflake Data Cloud.

In GDPR, personal data is any information relating to an identified or identifiable natural person - anything that can help identify an individual, such as first and last names, birth dates, religious beliefs, data concerning health, or financial data. You can learn more about the categories and types of personal data in GDPR here.

Securiti is purpose-built to help organizations meet GDPR compliance when using Snowflake by detecting hundreds of GDPR specific sensitive data elements in structured and unstructured columns within Snowflake.

Privacy Obligations under GDPR

According to the GDPR, both the data controller and processor are required to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, sensitivity level, and impact on individuals. Organizations must conduct a risk assessment, evaluating risks inherent in the processing when deciding on implementing security controls and whether or not they are appropriate for any particular data processing activity.

These security measures may include the following:

• The pseudonymization and encryption of personal data;
• The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Additional privacy obligations under the GDPR:

• Maintain records of data processing activities (RoPA Reports) (Art. 30)
• Conduct Data Processing Impact Assessments for high-risk data processing activities (Art. 35)
• Implement Breach Management and notification processes (Art. 33 and 34)
• Leverage contractual agreements with third parties for the protection of transferred data (Art. 28)
• Comply with Cross-border Data Transfer requirements (Art. 44-50)
• Fulfill Data Subjects’ Rights (Art. 12-23)

How does Securiti help address Privacy Obligations for GDPR

Discovery and insights into sensitive data is a foundational step to GDPR compliance. As mentioned earlier, several other privacy obligations need to be addressed. Securiti can help assist organizations in complying with these GDPR requirements.

Remediate Security Misconfigurations Automatically:

Securiti monitors security misconfigurations in the Snowflake instance and sets policies that automatically remediate them. For example, Snowflake administrators can discover and enable multi-factor authentication for all users.

In addition to auto-remediation, Snowflake administrators can notify data system owners via email or a service ticket. Admins can track policy violations via owner assignment to ensure any security risks are reviewed and appropriately addressed.

Data Access Governance

Snowflake administrators may be tasked with sharing data sets internally or externally with third-party data processors. For example, when sharing data that contains debit/credit card numbers, Securiti can discover credit card data and mask critical information like credit card numbers, CVC code, date of expiry, etc.

Privacy Solutions for GDPR Compliance

Securiti has several other privacy solutions to build Data Maps, fulfill DSR Rights, meet Breach Notification Requirements, manage User & Cookie Consent, and Assess Internal or Vendor Privacy postures. All of these solutions can help ensure complete GDPR compliance. Find out more by visiting our GDPR Privacy Solutions page.

Conclusion

Snowflake has become a market leader for data processing and analytics, with thousands of customers worldwide. Unfortunately, large data sets that are stored and processed in the Snowflake Data Cloud are susceptible to cyber-attacks because they might contain valuable, sensitive personal information. Securiti for Snowflake can help organizations discover sensitive personal data using powerful automation. The solution also helps organizations implement the proper controls to protect sensitive personal data in the Snowflake Data Cloud with autonomous data intelligence, governance, protection, and privacy.