Database Requirements for Building GDPR-Compliant Apps
Categories:
SecurityThe privacy of personal data has become increasingly important, and in the last couple of years, data privacy regulations such as GDPR are effective and enforced globally. GDPR refers to the General Data Protection Regulation. In short, it is a comprehensive set of data privacy and protection rules that give EU citizens greater control over their data. The cost of GDPR non-compliance is high; the minimum penalty is €20 million or 4% of annual turnover, whichever is higher. With such high stakes involved, it’s not surprising that the average Fortune 500 company spends about $16 million to attain GDPR compliance. This responsibility is transferred across an organization -- especially the developers responsible for collecting and transforming data from users.
So, what does the General Data Protection Regulation (GDPR) mean for developers?
As a developer, GDPR requires you to be more careful in building your app, specifically more precise about the data you collect and how you use it, and more thorough in your documentation. Several important terms are defined in GDPR to make sure everyone is using the same language.
Data subject: Any living individual whose personal data is collected, held, or processed by an organization.
Data controller: An entity like the creator of the app that determines how collected data is used.
Data processor: Any third party like a payments processor or an email service provider processes data collected by the controller.
GDPR enhances the rights of data subjects in several different ways, and here is what it means from a database perspective.
RIghts | How is it defined? | What it means for a database service |
Data location and consent | Controllers must acquire explicit consent to transfer user’s personal data outside the EU. | Database services should incorporate a mechanism for capturing consent from the data subject and informing the data subject when their data is transferred outside the EU. |
Right to access | On request, controllers must provide data subjects confirmation as to whether or not they are processing any of the subject’s data, where and for what purpose | Database services must allow data subjects to retrieve personal data that resides in the service, and if requested make a copy of that data. |
Data portability | Data subjects can transmit personal data given to them by a controller to another controller. | The database service must allow data subjects to move data in and out freely. |
Right to rectification | Data subjects can correct any erroneous personal data that controllers store. | The database service should provide an API that allows data subjects to modify the data stored |
Right to be forgotten | Data subjects can have controllers erase all of their personal data, cease distributing it, and stop processors from using it. | The database service should provide an API that allows data subjects to permanently delete the data stored. |
Privacy by design | Controllers and processors must take appropriate technical and organizational measures to protect the rights of the data subjects. | The database service must provide data encryption, data isolation, data monitoring, and other enhanced security and access controls. |
Building for ‘data location’ and ‘privacy by design’
When it comes to using a distributed database solution, privacy-conscious users are worried about sensitive data escaping geo-political boundaries and getting out of their hands. If this happens, they risk not being GDPR compliant and facing hefty fines. By using distributed databases with privacy-aware capabilities, users can pin data to a particular region and be assured that their data will always be kept within the allowed geo-boundary - even when data replication is enabled.
Privacy by design
Privacy by design is a mindset that ensures that data is protected right from the point the system is designed. For a distributed database, here are a few key aspects to keep in mind -
Database connections must be encrypted to ensure authorized communication between the client application and database server to prevent leaking of sensitive data.
Since controllers are responsible for the GDPR compliance of any processors they use to process the data, they should try to minimize the number of third-party processors accessing the data they store.
Encryption-at-rest should be used to store data and backups. In this way, attackers are unable to access data even if physical access to the hardware containing the data is obtained.
Data breaches must be identified, and affected users must be notified within 72 hours.
Operational checklist to stay GDPR compliant
Apart from GDPR database compliance, organizations must also implement additional operational steps to ensure GDPR compliance - Appoint a data protection officer.
Maintain up-to-date privacy notices so that data subjects are always aware of how their data is being used.
Establish a data breach plan so you have a roadmap to follow when a breach occurs. In a time of crisis, this can save time and reduce stress.
Only hold data that is relevant and limited to what is necessary for the purposes of running the business. Regularly carry out audits and purge anything that is extraneous.
Protect all data inventory using a unified, secure system to prevent accidental or unlawful data destruction, loss, alteration, or unauthorized access.
These are just a few of the critical items, but a complete digest of the applicable regulations, roles, and responsibilities can be found in the Official Journal of the European Union.
Start building today with Fauna
GDPR has forced organizations to rethink and redesign how data is stored and processed. This means organizations building a GDPR compliant application need adequate planning and resources.
Fauna is a flexible, developer-friendly, transactional database delivered as a secure and scalable cloud API that gives you the data safety, security, and scalability you need to build a new business or modernize existing applications. It is 100% ACID compliant and offers innovative capabilities such as data temporality, streaming, and multi-tenancy. With SSL and distributed data residency, Fauna offers data residency in the EU right out of the box.
Sign-up for free
The data API for modern applications is here. Sign-up for free without a credit card and get started instantly. Sign-up now
Quick start guide
Try our quick start guide to get up and running with your first Fauna database, in only 5 minutes! Read more
If you enjoyed our blog, and want to work on systems and challenges related to globally distributed systems, and serverless databases, Fauna is hiring
Subscribe to Fauna's newsletter
Get latest blog posts, development tips & tricks, and latest learning material delivered right to your inbox.