The privacy of the data has been addressed in the early days even before the internet era. There has never been a lack of legislation. The problem is that the legislation has not been much effective to prevent data breaches nor to enforce the rights of individuals in front of companies or governments.
Looking at a bit of history we can see how the US and Europe are diverging in their approach to data privacy.
In the US the legislation pays a greater attention to not to block companies to do their job. This is probably the reason why the US legislation is made up of several different pieces of law. The data privacy is maintained under a sort of patchwork that often allows companies and government agencies to work around limits and take advantages of exceptions.
In Europe, there is a more attention to the rights of individuals despite the need for data required by the businesses. The main law was defined by a Data Privacy Directive defining a set of principles. Now the GDPR is a directly applicable law that from the 25th of May will be the main umbrella to protect individuals and their data.
The GDPR contains and better defines the existing protection plus it enforce the rights of individuals to claim the respect of these rights in case of a legal battle. It is not a technical document. It doesn’t innovate much in term of techniques to avoid data breaches. In fact, it considers data breaches as something possible. Data breaches will happen. What will make the difference is if your company is compliant or not with the law when the data breach has happened.
How can a company be compliant with GDPR?
Appoint a Data Protection Officer that will be responsible to enforce the respect of the law.
Define a strategy to handle the cases where the individual can claim rights
The Right to Erasure (Art. 17)
It entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data.
The Right to Data Portability (Art. 20)
You have the right to receive your personal data from an organization in a commonly used form so that you can easily share it with another
The Right to Restriction of Processing (Art. 18)
Unless it is necessary by law or a contract, decisions affecting you cannot be made on the sole basis of an automated processing
In my words, use this right if you want to avoid being tagged on Facebook 😉
Your organizational GDPR strategies
- If your company has >= 250 employees or works with sensitive data appoint a Data Protection Officer that will be responsible to ensure that the obligations under the GDPR are being met
- Set a plan for each of the new rights that GDPR enforce
Software Strategies to comply with GDPR
…in case you are working with immutable events
- One stream per entity
- Set retention period when possible
- Provide a single view of the data
Always try to use
- a map of where the personal data are stored
Encrypt the related data for a particular person with a symmetric key
Delete the key when the person claims the Right to be Forgotten
One stream per entity
Keep the data in well defined separated streamsDelete the related streams when the person claiming the Right to be forgotten
Set a retention period on incoming streams
Items older than the $maxage will automatically be removed from data collection streams