...

GDPR & Data Governance in Tech

Berta Vincze
January 18, 2024
Read: 5 min

The increasing focus on data protection and privacy in the digital age is a response to the rapid advancements in technology and the widespread collection, processing and sharing of personal information.

The General Data Protection Regulation (GDPR) is a comprehensive privacy regulation implemented by the European Union to protect the rights and privacy of individuals when it comes to the processing of their personal data.

Non-compliance with data protection regulations, such as GDPR, can lead to a range of significant consequences for organisations. One of the most immediate and severe consequences of non-compliance involves financial penalties. Besides the legal consequences, violating regulations may also lead to reputational damage and loss of customer trust in the organisation.

It is thus essential for organisations to proactively invest in robust data protection measures, including implementing privacy-by-design principles, conducting regular risk assessments and staying informed about evolving regulations.

Being proactive can help mitigate the risks associated with non-compliance and build a culture of responsible data handling within the organisation.

This article outlines some potential approaches to data governance and regulatory compliance.

Data protection challenges for tech companies

Data proliferation

With the rise of digital technologies and the increasing reliance on data-driven decision-making, tech companies often find themselves dealing with massive volumes of data. This data proliferation poses challenges in terms of storage, processing and effective management.

Another aspect to consider is the fragmentation of large volumes of data. The increasingly popular microservice architecture entails decentralised data storage, which further complicates the process of enforcing data management rules, as these may need to be applied across multiple databases.

International operations

Tech companies that operate globally might need to transfer data across borders. However, this poses challenges in terms of compliance with various data protection regulations, including GDPR.

Data innovation and privacy concerns

Data-driven product development is becoming increasingly important for organisations. However, balancing the drive for innovation with privacy concerns, especially in the context of GDPR, can be challenging.

These challenges highlight the importance for tech companies to embrace strong data governance practices. Key steps in addressing these challenges include implementing thorough data management strategies, ensuring alignment with international data protection laws, and fostering a culture that prioritises privacy.

Key components of effective data governance and GDPR solutions

  1. Data mapping and classification: Understanding the location and sensitivity of data is fundamental to effective data governance and GDPR compliance. This knowledge enables organisations to apply appropriate security measures and controls;
  2. Data access controls: Implementing Role-Based Access Controls (RBAC) ensures that individuals only have access to the data that is necessary for their roles, which reduces the risk of unauthorised access;
  3. Data encryption: Ideally, the data should be encrypted at rest (databases or other storage systems) as well as in transit (as it travels between devices, servers or networks). Encryption keys should be managed systematically to control access to the encrypted data;
  4. Data retention policies: There should be clear guidelines on how long different types of data should be retained based on legal, regulatory and business requirements. Implementing automated solutions will help enforce retention policies consistently.
  5. Data Protection Impact Assessments (DPIAs): These assessments can be broken down into two major steps:
    1. Risk assessment: Identifying and assessing the potential risks associated with data processing activities;
    2. Integration into the development lifecycle: Embedding DPIAs into the early stages of product or system development to proactively address privacy risks, and regularly reassessing the impact of data processing activities as projects evolve.

By implementing these measures, organisations can better protect sensitive information, comply with regulations and build a strong foundation for responsible data management within the company.

Use case: GDPR solution implemented on a distributed system

Let’s look at an example of a GDPR solution implemented on a system that utilises microservice architecture.

The aim of the project was to implement a fully automated solution for handling two categories of GDPR processes, allowing the customer to exercise their:

  • Right to Be Forgotten (RTBF);
  • Right to access their data, aka Subject Access Request (SAR).

The challenge

The primary challenge concerned the distribution of customer data across various microservice databases and a data warehouse. This called for the implementation of an asynchronous process to fulfil GDPR requests across all distinct storage locations.

The solution

To solve the challenge, we utilised event-based communication among the different microservices. A central orchestrator service was tasked with informing other services about an incoming GDPR request by writing to a dedicated event stream. Subsequently, the other services could retrieve the message from the stream to get the details of the request.

To ensure error-resistant handling of the events, a substantial portion of the logic, such as configuring consumers, producers and subscribing to the stream for event processing, was abstracted into a framework-like processor module. This module also included an interface with methods built to handle the requests. Therefore, any new service enrolling in the GDPR solution would simply need to use this module and incorporate custom logic for the deletion or retrieval of data stored within the service itself.

Data governance GDPR workflow

For audit trail purposes and to ensure the inclusion of all pertinent data, every active service needed to be registered with the central orchestrator service. This registration process was also facilitated through the processor module, which, once integrated into the service, would generate a distinct event upon startup, informing the orchestrator about the details of the registering service.

Enforcement of data retention policies was also built on top of these systems. In this case, automatic deletion of data was based on measuring customer activity. Leveraging the existing event-based communication system, a dedicated service would be able to collect events pertaining to customer activity, such as a recent login or a purchase being made.

If a customer had no such activity events within the agreed-upon retention period, the system would send a notification to the customer, warning them that an automatic deletion process would soon be triggered.

GDPR data retention flow

The above solution, coupled with practical application of the fundamental principles outlined in the previous section, is an example of an adaptable and innovative approach to meeting GDPR compliance requirements.

Where do you begin?

Naturally, as organisations navigate the complexities of data governance, they may encounter a myriad of challenges. Focusing on the core principles outlined in this article will not only help your organisation fulfil regulatory obligations, but also play a role in cultivating an environment of responsible and ethical data management.

At Infinite Lambda, we help organisations adopt cutting-edge technology and practices on the cloud. Security and regulatory compliance are top priorities for each project we have delivered. Head to the Case Studies section to explore our work.

If you are ready to take on the data challenge, drop us a line. We will guide you to the adoption of advanced data and AI capabilities with compliance at the core.

More on the topic

Everything we know, we are happy to share. Head to the blog to see how we leverage the tech.

Data diff validation in a blue green deployment: how to guide
Data Diff Validation in Blue-Green Deployments
During a blue-green deployment, there are discrepancies between environments that we need to address to ensure data integrity. This calls for an effective data diff...
January 31, 2024
Data masking on Snowflake using data contracts
Automated Data Masking on Snowflake Using Data Contracts
As digital data is growing exponentially, safeguarding sensitive information is more important than ever. Compliance with strict regulatory frameworks, such as the European Union’s General...
January 17, 2024
What AI is not: demystifying LLMs
Demystifying LLMs: What AI Is Not
Just a year ago, hardly anyone had heard of large language models (LLMs), the technology behind ChatGPT. Now, these models are everywhere, revolutionising the way...
January 11, 2024
Digital innovations in Ukraine
Top 9 Digital Innovations in Ukraine
Attention. Air raid alert. Proceed to the nearest shelter. Don’t be careless. Your overconfidence is your weakness. – Air raid alert app voice-over using the...
January 4, 2024
Doing business in Ukraine
Business in Ukraine: Recommendations for the Tech Sector
In December 2023, I made my first trip to Ukraine since Russia’s full scale invasion of the country in February 2022. It was, for all...
January 3, 2024
How to get started with data contracts
How to get started with data contracts
More and more modern companies are looking to get started with data contracts because they are a great way of increasing a business' data maturity...
December 28, 2023

Everything we know, we are happy to share. Head to the blog to see how we leverage the tech.