How to Achieve GDPR Compliance in Snowflake

How do I ensure GDPR compliance when storing personal data in Snowflake?

Use Snowflake’s security, governance, and data-management features to store, process, and delete EU personal data in accordance with GDPR.

Welcome to the Galaxy, Guardian!

Oops! Something went wrong while submitting the form.

Description

Why should I care about GDPR in Snowflake?

EU GDPR fines can reach 4% of global revenue. Using Snowflake correctly helps you avoid penalties by ensuring personal data is protected, audited, and erasable on request.

Which Snowflake features address GDPR?

Key tools are Dynamic Data Masking, Row Access Policies, Time Travel & Fail-safe controls, classification tags, external tokenization, and permanent data deletion with TRUNCATE or DROP.

How do I find personal data quickly?

Snowflake’s CLASSIFY function scans column contents and assigns tags like PII.Combine results with the ACCOUNT_USAGE.COLUMNS view to inventory sensitive fields.

How do I mask personal data at query time?

Create a MASKING POLICY that replaces sensitive values for non-privileged roles, then attach it to the column. Roles with the UNMASK privilege see full data; others see obfuscated text.

How do I restrict row-level access by region?

Create a ROW ACCESS POLICY filtering rows to EU analysts only. Attach it to any table containing personal data.Policies cascade to all queries, BI tools, and data shares.

How do I honor the “right to be forgotten”?

Locate rows via customer_id, execute DELETE, then run ALTER TABLE … DROP PARTITION or CREATE TABLE … AS SELECT to rewrite micro-partitions. Finally, reduce Time Travel retention to 0 and disable Fail-safe if immediate purge is required.

How do I audit GDPR controls?

Query ACCOUNT_USAGE.POLICY_REFERENCES, ACCESS_HISTORY, and LOGIN_HISTORY.Store results in a secure schema and schedule alerts for policy changes or failed logins.

Best practices for GDPR in Snowflake

Use classification tags on every PII column, apply least-privilege roles, automate data subject request workflows, and document retention schedules in a governance schema.

Why How to Achieve GDPR Compliance in Snowflake is important

How to Achieve GDPR Compliance in Snowflake Example Usage


-- Mask email, restrict EU data, and audit access
SELECT c.id,
       c.name,
       c.email,      -- masked for non-privileged roles
       o.total_amount
FROM   Customers c
JOIN   Orders o ON o.customer_id = c.id
WHERE  c.country = 'EU'
  AND  o.order_date >= '2024-01-01';

How to Achieve GDPR Compliance in Snowflake Syntax


-- 1. Create masking policy for email
CREATE OR REPLACE MASKING POLICY pii_email_mask AS (val STRING) RETURNS STRING ->
  CASE
    WHEN CURRENT_ROLE() IN ('GDPR_DPO', 'DATA_ENGINEER') THEN val
    ELSE CONCAT('***', RIGHT(val, 10))
  END;

-- 2. Apply policy to Customers.email
ALTER TABLE Customers
  ALTER COLUMN email
  SET MASKING POLICY pii_email_mask;

-- 3. Row-level policy limiting EU rows to GDPR_EU_ANALYSTS role
CREATE OR REPLACE ROW ACCESS POLICY eu_only AS (country STRING) RETURNS BOOLEAN ->
  CURRENT_ROLE() = 'GDPR_EU_ANALYSTS' AND country = 'EU';
ALTER TABLE Customers
  ADD ROW ACCESS POLICY eu_only ON (country);

-- 4. Delete customer data permanently
DELETE FROM Customers WHERE id = 42;
ALTER TABLE Customers SET DATA_RETENTION_TIME_IN_DAYS = 0;
ALTER DATABASE SET FAILSAFE = OFF;

Common Mistakes

Mistake: Relying solely on Time Travel to delete data. Why wrong: Time Travel retains deleted rows up to 90 days, violating the right to be forgotten. Fix: Lower DATA_RETENTION_TIME_IN_DAYS to 0 and disable Fail-safe before deletion.
Mistake: Applying masking policies but granting UNMASK to all analysts. Why wrong: Privileged roles bypass masking, exposing PII. Fix: Grant UNMASK only to Data Protection Officers and use separate read-only roles for analysts.