Database Requirements for Building GDPR-Compliant Apps
So, what does the General Data Protection Regulation (GDPR) mean for developers?
|RIghts||How is it defined?||What it means for a database service|
|Data location and consent||Controllers must acquire explicit consent to transfer user’s personal data outside the EU.||Database services should incorporate a mechanism for capturing consent from the data subject and informing the data subject when their data is transferred outside the EU.|
|Right to access||On request, controllers must provide data subjects confirmation as to whether or not they are processing any of the subject’s data, where and for what purpose||Database services must allow data subjects to retrieve personal data that resides in the service, and if requested make a copy of that data.|
|Data portability||Data subjects can transmit personal data given to them by a controller to another controller.||The database service must allow data subjects to move data in and out freely.|
|Right to rectification||Data subjects can correct any erroneous personal data that controllers store.||The database service should provide an API that allows data subjects to modify the data stored|
|Right to be forgotten||Data subjects can have controllers erase all of their personal data, cease distributing it, and stop processors from using it.||The database service should provide an API that allows data subjects to permanently delete the data stored.|
|Privacy by design||Controllers and processors must take appropriate technical and organizational measures to protect the rights of the data subjects.||The database service must provide data encryption, data isolation, data monitoring, and other enhanced security and access controls.|
Building for ‘data location’ and ‘privacy by design’
Privacy by design
- Database connections must be encrypted to ensure authorized communication between the client application and database server to prevent leaking of sensitive data.
- Since controllers are responsible for the GDPR compliance of any processors they use to process the data, they should try to minimize the number of third-party processors accessing the data they store.
- Encryption-at-rest should be used to store data and backups. In this way, attackers are unable to access data even if physical access to the hardware containing the data is obtained.
- Data breaches must be identified, and affected users must be notified within 72 hours.
Operational checklist to stay GDPR compliant
- Maintain up-to-date privacy notices so that data subjects are always aware of how their data is being used.
- Establish a data breach plan so you have a roadmap to follow when a breach occurs. In a time of crisis, this can save time and reduce stress.
- Only hold data that is relevant and limited to what is necessary for the purposes of running the business. Regularly carry out audits and purge anything that is extraneous.
- Protect all data inventory using a unified, secure system to prevent accidental or unlawful data destruction, loss, alteration, or unauthorized access.
Start building today with Fauna
Sign-up for free
Quick start guide
If you enjoyed our blog, and want to work on systems and challenges related to globally distributed systems, serverless databases, GraphQL, and Jamstack, Fauna is hiring!
Subscribe to Fauna blogs & newsletter
Get latest blog posts, development tips & tricks, and latest learning material delivered right to your inbox.