The General Data Protections Regulation (GDPR) that intends to protect the data of citizens within the EU, was finally approved in 2016 and the transition period ends on May 25^th, 2018. As of this date, fines could be imposed upon organisations failing to observe this legislation.

See more information about GDPR regulation here:

https://www.eugdpr.org/the-regulation.html

Article 5 of the regulation enumerates the key principles:

• Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
• Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• Data minimisation: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
• Accuracy: Personal data shall be accurate and, where necessary, kept up to date.
• Storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
• Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
• Accountability: The controller shall be responsible for, and be able to demonstrate compliance with the GDPR.

In order to comply with Articles 25, 32 and 34, organisations need to be able to protect Personal Data by applying security patterns including pseudonymisation, anonymization and encryption. According to Articles 33 and 34, one must be able to notify the supervisory authority as to the type of data subjects and how many personal data records are impacted in case of a breach; and to notify the affected data subjects (except if appropriate security measures have been applied which will prevent from any reidentification).

SAS Federation Server helps on this matter by proposing these features:

• a central location for the setup and maintenance of connections to data​,
• creation of data views from disparate data sources without moving the source data using SAS Federation SQL (FedSQL)​,
• data abstraction layer to provide a consistent data model with access control, data masking, and security to the end user​,
• SQL logging and monitoring of user activity for every query that a user makes against a data source.

SAS Federation Server creates a virtual environment that provides a secure, business-centric view of your data. This not only provides better performance and easier access to business information, but also a greater degree of control over data access, – leading to higher levels of information security.

See the SAS Federation Server fact sheet here:

https://www.sas.com/content/dam/SAS/en_us/doc/factsheet/sas-federation-server-105943.pdf

In this series of articles, we will describe how SAS Federation Server can be used to ensure compliance with GDPR regulation. We will first discuss SAS Federation Server security; how data is protected against unauthorized access, and how data transference is guaranteed by secure transmission lines. In the second part, we will review the SAS Federation Server masking function and how it can be used for pseudonymisation, anonymization and encryption. We will then explore the functions that help extract and identify Personal data, and finally demonstrate the logging facility.