Achieving GDPR Compliance with YugabyteDB
Editor’s note, this is the second post in the series:
- Part 1: Achieving Compliance with YugabyteDB
- Part 2: Achieving GDPR Compliance with YugabyteDB (this post)
This is the second in a series of posts about how different compliance and regulatory frameworks work and how YugabyteDB can be an essential part of a company’s compliance efforts. This installment focuses on the EU’s General Data Protection Regulation (GDPR), and how YugabyteDB can be used by companies to enable compliance with certain key GDPR requirements.
GDPR is the world’s strongest data protection regime, treating privacy as a fundamental human right, and placing strict requirements on businesses to protect the personal data and privacy of EU citizens.
GDPR generally applies to (1) any organization operating in the EU, (2) any organization outside the EU that offers services or products to EU-based customers or businesses, and (3) any organization that monitors the online behavior of individuals in the EU.
GDPR has a broad definition of what constitutes personal data, and it can be summarized as anything that is related to an identified or identifiable person. That includes the more traditional identity information like name, address, email address, and photos; web data such as location, cookie data, IP address, and RFID tags; and more sensitive personal data like health, genetic and biometric data, personal background data, political opinions, and more.
“Full GDPR compliance” will always be a moving target given the complexity of the legislation and the frequent developments in the space (see the Schrems decision, for example, which invalidated the E.U.-U.S. Privacy Shield). Taking our lead from GDPR itself, we think about building a sustainable GDPR process that focuses on central principles or best practices and develops a compliance system from there. You can actually break down the GDPR requirements into data protection principle “buckets”: (1) lawfulness, (2) fairness and transparency, (3) purpose, (4) data minimization, (5) accuracy, (6) storage limitations, (7) security and accountability. You can break those buckets into separate sub-requirements, assess your own compliance, and then build out your IT systems and governance framework puzzle piece by piece until it is complete. As requirements change, you can track the missing puzzle pieces and replace them with compliant processes.
Everyone. The regulations are there to instill best practice within an organization for the care of data. Beyond that there are people who should be accountable for defining the processes and auditing that those processes are being complied with. These people should be C-Suite, and the role will often fall to a Chief Data Officer, CISO, CTO, and/or CIO depending on how the organization is structured. While these people are often technologists, they need to bring the business people along with them. In certain cases, the GDPR requires companies to appoint a Data Protection Officer responsible for the organization’s compliance with applicable data protection rules.
GDPR fines are designed to make non-compliance a costly mistake. For serious infringements that go against the principles of right to privacy and right to be forgotten, fines of up to the greater of €20M or 4% of the organization’s worldwide annual revenue from the prior fiscal year. For less serious violations, fines of up to the greater of €10M or 2% of the organization’s worldwide annual revenue from the prior fiscal year. The enforcement authorities also have the ability to administer other penalties for infringements, including criminal penalties for certain violations of GDPR. The data subjects themselves also maintain the right to seek compensation from organizations that cause damage to them as a result of a GDPR infringement.
GDPR is one of the first statutes to recognize privacy as a fundamental human right, codifying two well known privacy principles — privacy by design and privacy by default. Privacy by design is the idea that organizations should include privacy as a “first principle” when developing new products, services, and processes that involve the collection or processing of personal data. Privacy by default means that when an organization enables a system or service allowing a customer to choose how much personal data is to be shared, the choice should be the most protective ones of a person’s privacy by default setting. From a practical point of view, building these principles into the core of GDPR encourages organizational privacy hygiene. When customers trust their data to an organization, an organization shows respect for that trust by ensuring that they use best practices in how they protect and process that data. GDPR is simply the right thing to do. The damage to customer trust that can result from privacy breaches is immeasurable therefore the benefits that come with compliance are immeasurable.
Given the severity of the fines, there is a cottage industry of tools and services that have been made available to help achieve compliance. There are some key GDPR requirements that have influenced our own database architecture, such as user consent and data location, data privacy and safety, right to be forgotten, and data access on demand. YugabyteDB enables our customers to comply with such requirements with features like geo-partitioning and replication, TLS encryption, and column-level security. Distributed Database Architecture for GDPR provides an in-depth look at how to design and deploy GDPR compliant data infrastructure.
One of the biggest mistakes organizations make is thinking they need to maintain discreet deployments of data infrastructure in order to stay GDPR compliant. With the rise of distributed SQL systems like YugabyteDB, it is now much simpler to have a single system of record that spans geographies (and even clouds). This allows organizations to place nodes, tables, and rows of data in specific geographic locations without the additional overhead of having to maintain multiple databases, or a complex replication and data sharding strategy.
YugabyteDB has helped companies, such as Narvar, serve the biggest names in ecommerce while staying GDPR compliant.
“Yugabyte helped Narvar avoid cloud lock-in, stay GDPR compliant and save money in the process,” said Ram Ravichandran, CTO, Narvar. “Partnering with Yugabyte helps us focus on our customers instead of worrying if our systems can keep pace with our rapidly growing business.”
It is important for organizations to consider GDPR requirements as components of the core data architecture. These include application driven column-level encryption to make sure administrators cannot view sensitive data; necessary encryption of data – both at rest and on the wire – with periodic key rotations; and critical multi-region geo-distributed deployments of the database. In databases like YugabyteDB, many of these are built into the core design.