Many inky, black pixels have been rendered over GDPR. It dramatically shifts the landscape for businesses with any EU users, so there are a lot of questions about what it means in general, as well as what it takes to actually comply with it.
In this post, we’ll cover how Cockroach Labs conceives of GDPR’s major tenants (known as Data Subject Rights, which translates to “things you must do for your users”), as well as some considerations as to what it actually means for your company’s database.
Well, there are a lot of them, but let’s focus on those that are most obvious and impactful. We’ve gathered them into a few major groups:
Now, let’s break down two of the most complex data subject rights mean for your database:
One simple misgiving with this regulation is easy to dispel: this right doesn’t mean you can’t send EU user data outside of the EU. Instead, it means you must let users know what data you’re sending and how it’s to be used.
What this means for your business depends on the strategy you adopt to comply with GDPR. User notifications could range from minimal (e.g. you’re only temporarily reading data in the US for business analytics), to very upfront (e.g. primary copies of their data will be stored and read outside the EU).
The problem with the latter statement is not a technological one, but one of sentiment. For a lot of users who are understandably leery of businesses sharing and storing their data, this puts your business at a disadvantage against competitors who are more privacy-focused.
To improve teams’ solutions to this problem, CockroachDB self-hosted offers a geo-partitioning feature, which lets you control the physical layout of your table’s ranges (also known as shards or partitions) using row values from the table. For instance, if you had a user base that spanned the EU and the US, you could simply create two partitions based on your user’s table country column.
This has two substantial benefits: You can confidently tell users that primary copies of their data are stored in the EU, which gives you a competitive advantage over those who store their users’ data outside the EU. By keeping data close to the user to which it belongs, you’re able to provide users low latency responses.
This right has broad, sweeping implications that touch many facets of your database, but we’ll cover those that we’re aware of being most impactful:
Note that if you read the regulation itself refers to encryption as “pseudonymization”, but they’re the same thing.
Designing a secure application requires focus on many facets of your application––some of which are outside the purview of your database. That being said, CockroachDB is able to contribute to your efforts.
There are actually so many angles to consider with GDPR, we created an entire guide around bringing your app into the EU. If this post was helpful to you, there are more in-depth strategies and tactics in the guide.
Interested? Check out Scaling Your App with GDPR Compliance in Mind.
Illustration by Christina Chung.