Hi Antonio, I don't know the UK regulations about GDPR, but I know the spanish ones, and in this subject both countries apply the european regulation, thus i think that they must be quite similar. The spanish data protection regulations defines three levels of security personal data, related to a degree of sensitivity. Each level requires different means of protection. As far as I remember, at the highest level you are not required to encrypt the data stored at the server. You are requested to encrypt the data stored in removable media to be transported to another place(i.e. to send data, or to keep backup copies off-site), this is related to backup software, not the application or databases. Of course you are required to cipher your communication with the browser, with https. Another requirement is to track every change of the high security level data (previous value, updated valued, access date, who accessed), but you can do that easily with the framework with oncreation functions, for example.
Personal data protection involves formal measures (like getting explicit consent to record the information), and technical measures. Another difficult issue is the IT service providers(i.e. hosting). If you use a hosting service, you need specific contract clauses to address the Personal data issue. And you can't put the data anywhere. It must be in an european country, or a country with an equivalent regulation level(see this link: https://www.theguardian.com/technology/2015/oct/06/safe-harbour-european-court-declare-invalid-data-protection) With regard to the article: *In the UK, the Information Commissioner has provided guidance that, in the case of data loss where encryption software has not been used to protect the data, regulatory action may be pursued. * I think that they are speaking about losing removable unciphered media. If there is a data loss in your premises, there is no risk of disclosing personal data, just of losing personal information, which is also punished by that regulation. *The study revealed that 34% of web pages of FT30 firms that collect PII are doing so insecurely, 29% are not using encryption, 3.5% are using vulnerable encryptions algorithms, and 1.5% have expired security certificates.* This may be related with the communications. If you use https I think that you are safe. I suggest you to have a look at the Personal data protection regulations, because the news papers is an incomplete source, at best. And if you still need to cipher the data at the server, there is a long post here <https://groups.google.com/forum/#!searchin/web2py/filter_in$20encryption%7Csort:relevance/web2py/uGFQD0PBefQ/GJ0kdGoTHigJ> about this subjetc, with this example: db.define_table('contact', Field('user_id', db.auth_user, default=auth.user_id, readable=False, writable=False), Field('email', label='Contact email'), Field('phone', label='Contact phone') ) db.contact.email.requires = [IS_EMAIL(error_message="Wrong email address")] db.contact.phone.requires= [IS_LENGTH(maxsize=30, error_message="Bit too long, right?")] db.contact.email.filter_in = lambda value : w2p_encrypt(value) db.contact.phone.filter_in = lambda value : w2p_encrypt(value) db.contact.email.filter_out = lambda value : w2p_decrypt(value) db.contact.phone.filter_out = lambda value : w2p_decrypt(value) Good look and best regards. El jueves, 1 de junio de 2017, 12:40:15 (UTC+2), Ramos escribió: > > I have 3 apps where i need to address this issue... > > > > http://www.computerweekly.com/news/450419960/Top-UK-firms-websites-violate-key-GDPR-principle?utm_medium=EM&asrc=EM_EDA_77932701&utm_campaign=20170601_Top%20UK%20firms%E2%80%99%20websites%20violate%20key%20GDPR%20principle&utm_source=EDA > > Regards > António > > > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> > Sem > vírus. www.avast.com > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> > > <#CAEM0BxOt_yRJdomZkuFp9+x-r1QLR7cUmVB+t2ZjDDf6QpMt8w@mail.gmail.com_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
