Skip to main content

GDPR for Storage

Type: ExplanationCreated: Team: Security
draft

Where the storage rules live

Technically the whole regulation can apply to data you hold — but most of GDPR is about other things (rights, regulators, transfers, penalties). The parts that bear directly on storing data in your databases are concentrated in two chapters.

Chapter 2: principles for how you hold data

Chapter 2 (Principles) sets the rules for how you are allowed to hold data:

  • Article 5 — the core principles, especially storage limitation (don't keep it forever) and integrity and confidentiality (keep it secure).
  • Article 6 — you need a lawful basis to hold it at all.
  • Article 9 — extra conditions if you store sensitive ("special category") data.

Chapter 4: operational obligations

Chapter 4 (Controller and Processor) covers the operational and security obligations that fall on you:

  • Article 25 — privacy by design and by default (build protection into the schema and system).
  • Article 28 — rules for processors (for example, your cloud host) and the contracts you need with them.
  • Article 30 — keeping records of your processing activities.
  • Article 32 — security of processing. This is the encryption, access-control, and backup article.
  • Articles 33–34 — what to do if the stored data is breached.

The parts that matter most

tip

For "we have data sitting in a database", the single most relevant parts are Article 5, Article 32, and Article 25.

Other parts worth knowing

Two honorable mentions sit outside these two chapters:

  • Chapter 3 (Articles 12–23) — stored data must be retrievable and deletable on request (the rights of access and erasure).
  • Chapter 5 (Articles 44–50) — matters if your database lives in a region outside the EU.

Narrowing to encryption

Encryption is explicitly named in only three places in the GDPR articles — everything else merely implies it. The subset that specifically addresses encryption is:

Chapter 4 (Controller and Processor)

  • Article 32(1)(a) — security of processing. Lists "the pseudonymisation and encryption of personal data" as an example security measure. This is the main one.
  • Article 34(3)(a) — breach notification to individuals. You are exempt from notifying affected people if the breached data was rendered unintelligible — for example, encrypted. This is the "encryption as a liability shield" article.

Chapter 2 (Principles)

  • Article 6(4)(e) — when judging whether reusing data for a new purpose is compatible, the existence of safeguards "which may include encryption or pseudonymisation" counts in your favour.
tip

If you only want the two that matter for "we encrypt data at rest in our database", they are Article 32(1)(a) (why you encrypt) and Article 34(3)(a) (the payoff if you are ever breached).