2 USING REAL-TIME DATA MANAGEMENT TO DRIVE GDPR COMPLIANCE Cloud Applications and GDPR The European Union’s new General Data Protection Regulation (GDPR) goes into effect on 25 May 2018 and applies to all organisations that process European residents’ personal data. It’s an update of the 1995 Data Protection Directive and its most noteworthy change is the increase of maximum violation fines from £500,000 to up to 4% of a company’s global turnover or €21 million (whichever is greater). Today’s cloud applications are highly contextual, massively scalable, always-on, distributed across data centers and geographies, and able to manage data and insights in real time. This means they pose incredible risks for non-compliance with the GDPR and also for hefty, potentially catastrophic fines. Business and technology leaders tasked with successfully implementing their company’s GDPR initiatives should recognise that achieving GDPR compliance can be a complex project that demands time, skills, and resources. The GDPR in a Nutshell • The GDPR consolidates and strengthens data protection rights for individuals. • Each EU state has supervisory authority. • The GDPR builds on the EU’s Data Protection Directive, adopted in 1995, with additional requirements and penalties, including significantly greater penalties for data breaches (see above). • Each supervisory authority is obligated to investigate complaints. • Every organisation must understand the data it has, whether that data is processed lawfully, and be able to account for what it does and doesn’t do. • Companies with multiple data systems present a massive risk. Legal grounds and privacy notices The GDPR makes legal grounds such as consent more onerous to satisfy. It also changes privacy notice content requirements, meaning organisations will likely need to amend their existing privacy terms or at least review them to ensure alignment with the GDPR. Accountability The GDPR puts greater emphasis on showing compliance, including requiring privacy impact assessments for high-risk projects, keeping detailed records of obtained consents, and implementing ‘privacy by design’ internal processes. Rights of Data Subjects The GDPR gives data subjects new and enhanced rights, including a more extensive ‘right to be forgotten’, a right of ‘portability’ (allowing for free transmission of data in commonly used formats), and strengthened rights to object to processing. What Should Companies Be Doing Now? With less than a year to implementation, companies should: Audit all data, including where it is stored and the legal basis of its processing. Review existing privacy policies and terms with data subjects as well as terms with third-party data processors or other counterparties. Assess procedures for handling individual requests and notifying data breaches. Plan any changes to systems and process. Shared Data DC 2 DC 1 3 USING REAL-TIME DATA MANAGEMENT TO DRIVE GDPR COMPLIANCE How Can DataStax Help? DataStax Enterprise (DSE) provides support for industry-standard authentication mechanisms, role-based authentication, user activity auditing, and end-to-end encryption. Also, data controllers using cloud applications have a higher risk of experiencing data breaches and failing GDPR compliance. DSE is a comprehensive data platform designed from the ground up to support cloud and on-premise applications. This means DSE provides all the critical capabilities needed for effective cloud applications, including enterprise security, scalability, and performance. DSE Graph provides a comprehensive, 360-degree view of the customer by linking all the relevant customer data points, including static profile information and real-time customer activities. Such complete visibility allows data controllers and processors to quickly and effectively address customer requests for viewing or erasing personal information. Article Requirements DataStax Solution 17 The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay. DSE Time to Live (TTL) Expiring Data TTL – Time to Live • You can set an optional expiration period called TTL (time to live) for data in a column. • The TTL value for a column is a number of seconds. Once the number of seconds since the column's creation exceeds the TTL value, TTL data is considered expired and is deleted. 29 … Processor and any person ... who has access to personal data, shall not process those data except on instructions from the controller… DSE Enterprise Security – Internal and External Authentication Grants or revokes authorization, leverages Kerberos & LDAP/AD, uses single sign-on to all data domains. 25 … Controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. DSE 5.1 Row Level Access Control (RLAC) Secures data in tables at the row level - handled via CQL. Enables multi-tenancy capabilities on CassandraÔ tables. 32 … the controller, and the processor shall implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk, including inter alia, as appropriate: (a) The pseudonymisation and encryption of personal data; DSE Enterprise Security – Transparent Data Encryption Data Encryption in flight via SSL; Client –> Node; Node -> Node; Data Encryption at Rest; and no changes needed at app level. 4 USING REAL-TIME DATA MANAGEMENT TO DRIVE GDPR COMPLIANCE Article Requirements DataStax Solution 34 The communication to the data subject … shall not be required if... data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption … DSE Enterprise Security – Transparent Data Encryption Data Encryption in flight via SSL; Client –> Node; Node -> Node; Data Encryption at Rest; and no changes needed at app level. 30 Each controller …. shall maintain a record of processing activities under its responsibility. DSE Enterprise Security – Data Auditing Audit trail of all accesses and changes; control to audit only what’s needed. DSE stores comprehensive customer data including static customer profile and real-time customer activities. DSE Graph Delivers relationship view of the customer data so that the controller obtains a relevant, contextual, and complete view of customers. 33 In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority … DSE Enterprise Security – Data Auditing Audit trail of all accesses and changes; control to audit only what’s needed. 33 Data collector is also required to: • Describe actions being taken to address the breach • Mitigate the consequences DSE Graph Provides a comprehensive, real-time view of the customer across all journey touchpoints, including data from internal and third-party systems. This immediate, 360-degree visibility allows data processors and auditors to quickly identify the potential trigger of the breach, or, in the event of an actual breach already occurring, have a relationship view of all customer data points to find problem spots and better mitigate the damage. 33 Penetration testing to identify potential attack vectors should be standard DSE Analytics Provides tight integration with Spark, enabling data controllers to leverage Spark analytics features (such as MLlib) to conduct penetration testing and vulnerability assessments to prevent future breaches. 56 …the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross- border processing carried out by that controller. DSE offers the ability to control, at a keyspace/schema level, which data centres data should be replicated to, meaning that in a multi-data centre (both physical and cloud) cluster, you can ensure data won’t be shipped anywhere it shouldn’t and access to that data will be controlled. This is very simple to set-up and is extremely useful when you need to share some but not all of your data, or if you have requirements around where your data is permitted to reside. USING REAL-TIME DATA MANAGEMENT TO DRIVE GDPR COMPLIANCE About DataStax It starts with a human desire, and when a universe of technology, devices and data aligns, it ends in a moment of fulfillment and insight. Billions of these moments occur each second around the globe. They are moments that can define an era, launch an innovation, and forever alter for the better how we relate to our environment. DataStax is the power behind the moment. Bui lt on the unique architecture of Apache Cassandra™, DataStax Enterpr ise is the always- on data platform and has been bat tle-tested for the world’s most innovative, global applications. With more than 500 customers in over 50 countries, DataStax provide data management to the world’s most innovative companies, such as Netflix, Safeway, ING, Adobe, Intuit, and eBay. Based in Santa Clara, Calif., DataStax is backed by industry-leading investors including Comcast Ventures, Crosslink Capital, Lightspeed Venture Partners, Kleiner Perkins Caufield & Byers, Mer itech Capital, Premji Invest and Sca le Venture Partners. For more informat ion, v isit DataStax.com/customers or follow us on @DataStax. © 2017 DataStax, All Rights Reserved. DataStax is a registered trademark of DataStax, Inc. and its subsidiar ies in the United States and/or other countr ies. Apache Cassandra is a trademark of the Apache Software Foundat ion or its subs idiar ies in Canada, the United States and/or other countr ies. Why DataStax The world is changing at a rate we could never have imagined. Today’s customers are like the applications they use: digitally empowered, geographically distributed, radically connected, hyper-informed, and always on. To thrive in this customer-centric, data- driven economy, businesses need to rethink the technology infrastructure on which they are building and deploying mission-critical cloud applications and move to a modern, distributed database platform. In doing so, they can make data the centerpiece of their organization, build real-time value at epic scale, and grow effectively and responsibly. Built on the unique architecture of Apache CassandraÔ, DataStax Enterprise is the always-on data platform and has been battle-tested for the world’s most innovative, global applications. The DataStax Customer Experience (CX) Data Solution incorporates the full power of our resources and experience. The CX Data Solution combines DataStax Enterprise with partner integration and world-class consulting/training from experts who have helped implement some of the largest real-time data management systems in the world. The two key tools for addressing critical customer experience needs are Customer 360 and real-time personalization. Our solution is designed to help companies get both (C360 and real-time personalization) up and running quickly and with minimum risk. This enables them to proactively tackle their CX challenges and bring their CX solutions to market faster and with greater efficiency, creating new opportunities to gain market share. DataStax equips leaders with a customer-centric understanding of the GDPR’s requirements for cloud applications, helping them meet the stringent data security compliance requirements and implementing security controls for personal data stored in cloud- based applications.