It’s a senior leadership team’s worst nightmare — a breach of customer data where sensitive information is leaked onto the web or ends up in the hands of hackers and scammers. We’ve seen this story play out too many times over recent years.

The databases sitting at the heart of your business are likely feeding numerous applications to deliver services to your employees, customers, and partners. New Zealand's new beefed-up Privacy Act, which went into force on December 1, 2020, creates a good opportunity to review your database security and privacy measures.

The good news is that many organisations are running Microsoft SQL Server databases and as one of the world’s most popular database platforms, SQL Server comes with some excellent built-in security features as well as compliance management tools you can take advantage of.

Database managers and senior business leaders still need to consider their responsibilities under the new Act but at least you've got a head start in terms of the tools you need.

The main Privacy Act changes boil down to the following:

  • Notifiable privacy breaches: If your organisation has a data breach that you think could "cause serious harm", it is mandatory you report it to the Office of the Privacy Commissioner and affected individuals as soon as possible. It is an offence under the act not to do so, and liability sits with the organisation, not individual employees.
  • Compliance notices: The Privacy Commissioner can now order an organisation to take action to bring its activities in line with the act. Those actions will be outlined in a compliance notice drawn by the Privacy Commissioner’s office.
  • Enforceable access directions: The Privacy Commissioner can now order an organisation to provide individuals access to their personal information. Data should be easily accessible and processes should be in place that allow for its timely retrieval.
  • This all applies overseas too: The act explicitly includes “extraterritorial effect”, meaning any overseas company operating in New Zealand is subject to the act’s privacy obligations. If you're sending data overseas, you also need to make sure the jurisdiction where the data will reside has similar privacy protections to those outlined in the Privacy Act.
  • New criminal offences: Finally, there are stiffer penalties for non-compliance with the act. Data handlers can face a fine of up to NZ$10,000 for non-compliance.

While the fine may seem trifling when compared with the European Union's regime, that's not really the point of the Act or your compliance with it. If you're being fined it's for avoiding the obvious need to take care of personal information and the risk is more about reputation than financial penalty. But if that's not enough, the Privacy Commissioner can also refer breaches to the Human Rights Tribunal, where cases can attract much higher fines.

Eight tips to help keep your SQL Server secure

  1. Isolate the database production server where possible
  2. Limit unused SQL Server functionality
  3. Use strong admin passwords
  4. Apply all available updates and patches
  5. Regularly audit database logins
  6. Use available tools to prevent malicious code injections
  7. Operate regular, secure, data backups
  8. Tightly control permissions.

How Datacom can help

These are all pretty straightforward steps to take to ensure you're not caught out by anyone trying to access private information. For a more thorough look at your database management systems and what else you can do to protect your data, let us know. At Datacom, we understand Microsoft SQL databases inside out and can advise you on your database environment, help you migrate your existing database infrastructure to the cloud, and assist you in navigating the complex world of database licensing.

We offer a simple managed service, providing ongoing support and maintenance of your databases and licensing so you can focus on your core business.

Get in touch to find out how your business can utilise Microsoft SQL Server with Datacom’s database management solution.

Anna is a SQL database administrator based in Wellington. Responsible for over 50 production databases, Anna is an expert on security and data protection for SQL databases.

Related industries
Public sector
Related solutions
Security Managed services