GDPR for the Robot – dealing with sensitive data
Personal data protection is one of the most important topic in business processes development. Automation tools have mechanisms to ensure data encryption. There are a few issues to consider when designing RPA solutions.
This post will address three topics:
- Queue encryption
- Storing logs options
- Database encryption
Queue encryption can be enabled/disabled in the Settings/Workflows/Work Queues tab. The Encrypted checkbox is used for this. You can change this option at any time, even if you already have items saved in the queue.
Data saved into the queue before checking Encryped will not be encrypted. Encryption works for new queue items from the moment the checkbox is selected.
Only data placed in Item Data are encrypted. Blue Prism does not provide the ability to encrypt tags, logs or error messages.
Storing logs options
For each operation Blue Prism gives the ability to enable/disable logs or log only errors.
In addition, there is an option not to log a parameter. We should consider it if the parameter contains personal data. The error analysis process will be quite difficult then.
The solution that allows to save personal data in the database (in logs, tags or error messages) can be the feature of the Microsoft SQL Server called Transparent Data Encryption (TDE). It is available from version 2008 in the Evaluation, Developer, Enterprise and Datacenter editions. Enabling this option does not require any changes to the code of existing applications. Decryption takes place when the data are loaded into memory.
Run the script below to enable TDE (source):
USE master; GO CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<Password>'; go CREATE CERTIFICATE MyServerCert WITH SUBJECT = 'My DEK Certificate'; go USE BluePrismDatabase; GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_128 ENCRYPTION BY SERVER CERTIFICATE MyServerCert; GO ALTER DATABASE BluePrismDatabase SET ENCRYPTION ON; GO
To create a backup:
USE master; BACKUP MASTER KEY TO FILE = 'c:\temp\exportedmasterkey' ENCRYPTION BY PASSWORD = '<Password>'; GO BACKUP CERTIFICATE MyServerCert TO FILE = 'c:\temp\MyServerCert' GO
Each company may have its own data collection and processing guidelines. This must be taken into account when designing IT solutions. Intranet software may have different data protection requirements than a publicly available website. If you work with sensitive data, I suggest contacting the person responsible for data security in your company.