Using real-time data management to drive GDPR Compliance

Today’s cloud applications are highly contextual, massively scalable, always-on, distributed across data centers and geographies, and able to manage data and insights in real time. This means they pose incredible risks for non-compliance with the GDPR and also for hefty, potentially catastrophic fines.
About Techcelerate Ventures

Tech Investment and Growth Advisory for Series A in the UK, operating in £150k to £5m investment market, working with #SaaS #FinTech #HealthTech #MarketPlaces and #PropTech companies.
DATA REAL TIME customer DataStax Control GDPR person DATA DSE TIME DATA manage
About Techcelerate Ventures

Tech Investment and Growth Advisory for Series A in the UK, operating in £150k to £5m investment market, working with #SaaS #FinTech #HealthTech #MarketPlaces and #PropTech companies.
DATA REAL TIME customer DataStax Control GDPR person DATA DSE TIME DATA manage
 
 
 
   
 
 
2 
USING REAL-TIME DATA MANAGEMENT TO DRIVE GDPR COMPLIANCE 
Cloud Applications 
and GDPR 
The European Union’s new General Data Protection 
Regulation (GDPR) goes into effect on 25 May 2018 and 
applies to all organisations that process European 
residents’ personal data. It’s an update of the 1995 
Data Protection Directive and its most noteworthy 
change is the increase of maximum violation fines from 
£500,000 to up to 4% of a company’s global turnover or 
€21 million (whichever is greater).  
Today’s cloud applications are highly contextual, 
massively scalable, always-on, distributed across data 
centers and geographies, and able to manage data and 
insights in real time. This means they pose incredible 
risks for non-compliance with the GDPR and also for 
hefty, potentially catastrophic fines.  
Business and technology leaders tasked with 
successfully implementing their company’s GDPR 
initiatives should recognise that achieving GDPR 
compliance can be a complex project that demands 
time, skills, and resources.  
The GDPR in a Nutshell 
• The GDPR consolidates and strengthens data 
protection rights for individuals.  
• Each EU state has supervisory authority.  
• The GDPR builds on the EU’s Data Protection 
Directive, adopted in 1995, with additional 
requirements and penalties, including significantly 
greater penalties for data breaches (see above). 
• Each supervisory authority is obligated to investigate 
complaints. 
• Every organisation must understand the data it has, 
whether that data is processed lawfully, and be able 
to account for what it does and doesn’t do. 
• Companies with multiple data systems present a 
massive risk. 
Legal grounds and privacy notices 
The GDPR makes legal grounds such as consent more 
onerous to satisfy. It also changes privacy notice 
content requirements, meaning organisations will likely 
need to amend their existing privacy terms or at least 
review them to ensure alignment with the GDPR.  
Accountability 
The GDPR puts greater emphasis on showing 
compliance, including requiring privacy impact 
assessments for high-risk projects, keeping detailed 
records of obtained consents, and implementing 
‘privacy by design’ internal processes. 
Rights of Data Subjects 
The GDPR gives data subjects new and enhanced 
rights, including a more extensive ‘right to be forgotten’, 
a right of ‘portability’ (allowing for free transmission of 
data in commonly used formats), and strengthened 
rights to object to processing. 
What Should Companies 
Be Doing Now? 
With less than a year to implementation, companies 
should: 
Audit all data, including where it is stored and the legal 
basis of its processing. 
Review existing privacy policies and terms with data 
subjects as well as terms with third-party data 
processors or other counterparties. 
Assess procedures for handling individual requests and 
notifying data breaches. 
Plan any changes to systems and process.
  
Shared Data 
DC 2 
DC 1 
 
 
3 
USING REAL-TIME DATA MANAGEMENT TO DRIVE GDPR COMPLIANCE 
How Can DataStax Help? 
DataStax Enterprise (DSE) provides support for industry-standard authentication mechanisms, role-based 
authentication, user activity auditing, and end-to-end encryption. 
Also, data controllers using cloud applications have a higher risk of experiencing data breaches and failing GDPR 
compliance. DSE is a comprehensive data platform designed from the ground up to support cloud and on-premise 
applications. This means DSE provides all the critical capabilities needed for effective cloud applications, including 
enterprise security, scalability, and performance. 
DSE Graph provides a comprehensive, 360-degree view of the customer by linking all the relevant customer data 
points, including static profile information and real-time customer activities. Such complete visibility allows data 
controllers and processors to quickly and effectively address customer requests for viewing or erasing 
personal information.
Article 
Requirements 
DataStax Solution 
17 
The data subject shall have the right to 
obtain from the controller the erasure of 
personal data concerning him or her 
without undue delay. 
DSE Time to Live (TTL) 
Expiring Data TTL – Time to Live 
• You can set an optional expiration period called TTL (time 
to live) for data in a column. 
• The TTL value for a column is a number of seconds.  
Once the number of seconds since the column's creation 
exceeds the TTL value, TTL data is considered expired and 
is deleted. 
29 
… Processor and any person ... who 
has access to personal data, shall not 
process those data except on 
instructions from the controller… 
DSE Enterprise Security – Internal and External 
Authentication 
Grants or revokes authorization, leverages Kerberos & 
LDAP/AD, uses single sign-on to all data domains.  
25 
… Controller shall implement 
appropriate technical and 
organisational measures for ensuring 
that, by default, only personal data 
which are necessary for each specific 
purpose of the processing are 
processed. 
DSE 5.1 Row Level Access Control (RLAC) 
Secures data in tables at the row level - handled via CQL. 
Enables multi-tenancy capabilities on CassandraÔ tables. 
32 
… the controller, and the processor 
shall implement appropriate technical 
and organisational measures, to ensure 
a level of security appropriate to the 
risk, including inter alia, as appropriate: 
(a) The pseudonymisation and 
encryption of personal data; 
DSE Enterprise Security – Transparent Data Encryption 
Data Encryption in flight via SSL; Client –> Node; Node -> 
Node; Data Encryption at Rest; and no changes needed at 
app level. 
 
 
4 
USING REAL-TIME DATA MANAGEMENT TO DRIVE GDPR COMPLIANCE 
 
 
Article 
Requirements 
DataStax Solution 
34 
The communication to the data subject 
… shall not be required if... data affected 
by the personal data breach, in particular 
those that render the data unintelligible to 
any person who is not authorised to 
access it, such as encryption … 
DSE Enterprise Security – Transparent Data Encryption 
Data Encryption in flight via SSL; Client –> Node; Node -> 
Node; Data Encryption at Rest; and no changes needed at 
app level. 
30 
Each controller …. shall maintain a 
record of processing activities under 
its responsibility. 
DSE Enterprise Security – Data Auditing 
Audit trail of all accesses and changes; control to audit only 
what’s needed. DSE stores comprehensive customer data 
including static customer profile and real-time customer 
activities. 
DSE Graph 
Delivers relationship view of the customer data so that the 
controller obtains a relevant, contextual, and complete view 
of customers. 
33 
In the case of a personal data breach, 
the controller shall without undue delay 
and, where feasible, not later than 72 
hours after having become aware of it, 
notify the personal data breach to the 
supervisory authority … 
DSE Enterprise Security – Data Auditing 
Audit trail of all accesses and changes; control to audit only 
what’s needed. 
33 
Data collector is also required to:  
• Describe actions being taken to 
address the breach 
• Mitigate the consequences 
DSE Graph 
Provides a comprehensive, real-time view of the customer 
across all journey touchpoints, including data from internal 
and third-party systems. This immediate, 360-degree 
visibility allows data processors and auditors to quickly 
identify the potential trigger of the breach, or, in the event of 
an actual breach already occurring, have a relationship view 
of all customer data points to find problem spots and better 
mitigate the damage. 
33 
Penetration testing to identify potential 
attack vectors should be standard 
DSE Analytics  
Provides tight integration with Spark, enabling data 
controllers to leverage Spark analytics features (such as 
MLlib) to conduct penetration testing and vulnerability 
assessments to prevent future breaches. 
56 
…the supervisory authority of the main 
establishment or of the single 
establishment of the controller or 
processor shall be competent to act as 
lead supervisory authority for the cross-
border processing carried out by that 
controller. 
DSE offers the ability to control, at a keyspace/schema 
level, which data centres data should be replicated to, 
meaning that in a multi-data centre (both physical and 
cloud) cluster, you can ensure data won’t be shipped 
anywhere it shouldn’t and access to that data will be 
controlled. 
This is very simple to set-up and is extremely useful when 
you need to share some but not all of your data, or if you 
have requirements around where your data is permitted 
to reside. 
USING REAL-TIME DATA MANAGEMENT TO DRIVE GDPR COMPLIANCE 
About DataStax 
It starts with a human desire, and when a universe of technology, devices and data aligns, it ends in a moment of 
fulfillment and insight.  Billions of these moments occur each second around the globe. They are moments that can 
define an era, launch an innovation, and forever alter for the better how we relate to our environment. DataStax is the 
power behind the moment. Bui lt on the unique architecture of Apache Cassandra™, DataStax Enterpr ise is the always-
on data platform and has been bat tle-tested for the world’s most innovative, global applications.  
With more than 500 customers in over 50 countries, DataStax provide data management to the world’s most 
innovative companies, such as Netflix, Safeway, ING, Adobe, Intuit, and eBay. Based in Santa Clara, Calif., 
DataStax is backed by industry-leading investors including Comcast Ventures, Crosslink Capital, Lightspeed Venture 
Partners, Kleiner Perkins Caufield & Byers, Mer itech Capital, Premji Invest and Sca le Venture Partners. For more 
informat ion, v isit DataStax.com/customers or follow us on @DataStax. 
© 2017 DataStax, All Rights Reserved. DataStax is a registered trademark of DataStax, Inc. and its subsidiar ies in the 
United States and/or other countr ies. Apache Cassandra is a trademark of the Apache Software Foundat ion or its 
subs idiar ies in Canada, the United States and/or other countr ies. 
Why DataStax 
The world is changing at a rate we could never have 
imagined. Today’s customers are like the applications 
they use: digitally empowered, geographically 
distributed, radically connected, hyper-informed, and 
always on. To thrive in this customer-centric, data-
driven economy, businesses need to rethink the 
technology infrastructure on which they are building and 
deploying mission-critical cloud applications and move 
to a modern, distributed database platform. In doing so, 
they can make data the centerpiece of their 
organization, build real-time value at epic scale, and 
grow effectively and responsibly. 
Built on the unique architecture of Apache CassandraÔ, 
DataStax Enterprise is the always-on data platform and 
has been battle-tested for the world’s most innovative, 
global applications. 
The DataStax Customer Experience (CX) Data Solution 
incorporates the full power of our resources and 
experience. The CX Data Solution combines DataStax 
Enterprise with partner integration and world-class 
consulting/training from experts who have helped 
implement some of the largest real-time data 
management systems in the world. The two key tools for 
addressing critical customer experience needs are 
Customer 360 and real-time personalization. Our 
solution is designed to help companies get both (C360 
and real-time personalization) up and running quickly 
and with minimum risk. This enables them to proactively 
tackle their CX challenges and bring their CX solutions 
to market faster and with greater efficiency, creating 
new opportunities to gain market share. 
DataStax equips leaders with a customer-centric 
understanding of the GDPR’s requirements for cloud 
applications, helping them meet the stringent data 
security compliance requirements and implementing 
security controls for personal data stored in cloud-
based applications.