Providing IT services means making data available to groups or individuals for the only purpose of consulting or managing them. GDPR (General Data Protection Regulation) introduces the concept of responsibility for data processing by the companies that store them and make them available for different processing purposes. There are some important moments in data life and among these the memorization, their copy for backup purposes and their use. If for the first two cases their circumscription is quite intuitive, encrypted databases, encrypted backup copies, encrypted storage, when we have to use them in the programs that provide the services, these data must necessarily be used in unencrypted mode to be consulted and managed.
Application services without authorization access control for individual functions that have access to data negate all encryption measures of mass storage media by accessing data without encryption.
The control, security and timeliness in identifying vulnerabilities that can export data without control is one of the issues that needs to be developed more, in order to avoid consultations of unauthorized databases or, worse, whole stolen data sets exploiting applicative vulnerabilities.