2
USING REAL-TIME DATA MANAGEMENT TO DRIVE GDPR COMPLIANCE
Cloud Applications
and GDPR
The European Union’s new General Data Protection
Regulation (GDPR) goes into effect on 25 May 2018 and
applies to all organisations that process European
residents’ personal data. It’s an update of the 1995
Data Protection Directive and its most noteworthy
change is the increase of maximum violation fines from
£500,000 to up to 4% of a company’s global turnover or
€21 million (whichever is greater).
Today’s cloud applications are highly contextual,
massively scalable, always-on, distributed across data
centers and geographies, and able to manage data and
insights in real time. This means they pose incredible
risks for non-compliance with the GDPR and also for
hefty, potentially catastrophic fines.
Business and technology leaders tasked with
successfully implementing their company’s GDPR
initiatives should recognise that achieving GDPR
compliance can be a complex project that demands
time, skills, and resources.
The GDPR in a Nutshell
• The GDPR consolidates and strengthens data
protection rights for individuals.
• Each EU state has supervisory authority.
• The GDPR builds on the EU’s Data Protection
Directive, adopted in 1995, with additional
requirements and penalties, including significantly
greater penalties for data breaches (see above).
• Each supervisory authority is obligated to investigate
complaints.
• Every organisation must understand the data it has,
whether that data is processed lawfully, and be able
to account for what it does and doesn’t do.
• Companies with multiple data systems present a
massive risk.
Legal grounds and privacy notices
The GDPR makes legal grounds such as consent more
onerous to satisfy. It also changes privacy notice
content requirements, meaning organisations will likely
need to amend their existing privacy terms or at least
review them to ensure alignment with the GDPR.
Accountability
The GDPR puts greater emphasis on showing
compliance, including requiring privacy impact
assessments for high-risk projects, keeping detailed
records of obtained consents, and implementing
‘privacy by design’ internal processes.
Rights of Data Subjects
The GDPR gives data subjects new and enhanced
rights, including a more extensive ‘right to be forgotten’,
a right of ‘portability’ (allowing for free transmission of
data in commonly used formats), and strengthened
rights to object to processing.
What Should Companies
Be Doing Now?
With less than a year to implementation, companies
should:
Audit all data, including where it is stored and the legal
basis of its processing.
Review existing privacy policies and terms with data
subjects as well as terms with third-party data
processors or other counterparties.
Assess procedures for handling individual requests and
notifying data breaches.
Plan any changes to systems and process.

Shared Data
DC 2
DC 1


3
USING REAL-TIME DATA MANAGEMENT TO DRIVE GDPR COMPLIANCE
How Can DataStax Help?
DataStax Enterprise (DSE) provides support for industry-standard authentication mechanisms, role-based
authentication, user activity auditing, and end-to-end encryption.
Also, data controllers using cloud applications have a higher risk of experiencing data breaches and failing GDPR
compliance. DSE is a comprehensive data platform designed from the ground up to support cloud and on-premise
applications. This means DSE provides all the critical capabilities needed for effective cloud applications, including
enterprise security, scalability, and performance.
DSE Graph provides a comprehensive, 360-degree view of the customer by linking all the relevant customer data
points, including static profile information and real-time customer activities. Such complete visibility allows data
controllers and processors to quickly and effectively address customer requests for viewing or erasing
personal information.
Article
Requirements
DataStax Solution
17
The data subject shall have the right to
obtain from the controller the erasure of
personal data concerning him or her
without undue delay.
DSE Time to Live (TTL)
Expiring Data TTL – Time to Live
• You can set an optional expiration period called TTL (time
to live) for data in a column.
• The TTL value for a column is a number of seconds.
Once the number of seconds since the column's creation
exceeds the TTL value, TTL data is considered expired and
is deleted.
29
… Processor and any person ... who
has access to personal data, shall not
process those data except on
instructions from the controller…
DSE Enterprise Security – Internal and External
Authentication
Grants or revokes authorization, leverages Kerberos &
LDAP/AD, uses single sign-on to all data domains.
25
… Controller shall implement
appropriate technical and
organisational measures for ensuring
that, by default, only personal data
which are necessary for each specific
purpose of the processing are
processed.
DSE 5.1 Row Level Access Control (RLAC)
Secures data in tables at the row level - handled via CQL.
Enables multi-tenancy capabilities on CassandraÔ tables.
32
… the controller, and the processor
shall implement appropriate technical
and organisational measures, to ensure
a level of security appropriate to the
risk, including inter alia, as appropriate:
(a) The pseudonymisation and
encryption of personal data;
DSE Enterprise Security – Transparent Data Encryption
Data Encryption in flight via SSL; Client –> Node; Node ->
Node; Data Encryption at Rest; and no changes needed at
app level.


4
USING REAL-TIME DATA MANAGEMENT TO DRIVE GDPR COMPLIANCE


Article
Requirements
DataStax Solution
34
The communication to the data subject
… shall not be required if... data affected
by the personal data breach, in particular
those that render the data unintelligible to
any person who is not authorised to
access it, such as encryption …
DSE Enterprise Security – Transparent Data Encryption
Data Encryption in flight via SSL; Client –> Node; Node ->
Node; Data Encryption at Rest; and no changes needed at
app level.
30
Each controller …. shall maintain a
record of processing activities under
its responsibility.
DSE Enterprise Security – Data Auditing
Audit trail of all accesses and changes; control to audit only
what’s needed. DSE stores comprehensive customer data
including static customer profile and real-time customer
activities.
DSE Graph
Delivers relationship view of the customer data so that the
controller obtains a relevant, contextual, and complete view
of customers.
33
In the case of a personal data breach,
the controller shall without undue delay
and, where feasible, not later than 72
hours after having become aware of it,
notify the personal data breach to the
supervisory authority …
DSE Enterprise Security – Data Auditing
Audit trail of all accesses and changes; control to audit only
what’s needed.
33
Data collector is also required to:
• Describe actions being taken to
address the breach
• Mitigate the consequences
DSE Graph
Provides a comprehensive, real-time view of the customer
across all journey touchpoints, including data from internal
and third-party systems. This immediate, 360-degree
visibility allows data processors and auditors to quickly
identify the potential trigger of the breach, or, in the event of
an actual breach already occurring, have a relationship view
of all customer data points to find problem spots and better
mitigate the damage.
33
Penetration testing to identify potential
attack vectors should be standard
DSE Analytics
Provides tight integration with Spark, enabling data
controllers to leverage Spark analytics features (such as
MLlib) to conduct penetration testing and vulnerability
assessments to prevent future breaches.
56
…the supervisory authority of the main
establishment or of the single
establishment of the controller or
processor shall be competent to act as
lead supervisory authority for the cross-
border processing carried out by that
controller.
DSE offers the ability to control, at a keyspace/schema
level, which data centres data should be replicated to,
meaning that in a multi-data centre (both physical and
cloud) cluster, you can ensure data won’t be shipped
anywhere it shouldn’t and access to that data will be
controlled.
This is very simple to set-up and is extremely useful when
you need to share some but not all of your data, or if you
have requirements around where your data is permitted
to reside.
USING REAL-TIME DATA MANAGEMENT TO DRIVE GDPR COMPLIANCE
About DataStax
It starts with a human desire, and when a universe of technology, devices and data aligns, it ends in a moment of
fulfillment and insight. Billions of these moments occur each second around the globe. They are moments that can
define an era, launch an innovation, and forever alter for the better how we relate to our environment. DataStax is the
power behind the moment. Bui lt on the unique architecture of Apache Cassandra™, DataStax Enterpr ise is the always-
on data platform and has been bat tle-tested for the world’s most innovative, global applications.
With more than 500 customers in over 50 countries, DataStax provide data management to the world’s most
innovative companies, such as Netflix, Safeway, ING, Adobe, Intuit, and eBay. Based in Santa Clara, Calif.,
DataStax is backed by industry-leading investors including Comcast Ventures, Crosslink Capital, Lightspeed Venture
Partners, Kleiner Perkins Caufield & Byers, Mer itech Capital, Premji Invest and Sca le Venture Partners. For more
informat ion, v isit DataStax.com/customers or follow us on @DataStax.
© 2017 DataStax, All Rights Reserved. DataStax is a registered trademark of DataStax, Inc. and its subsidiar ies in the
United States and/or other countr ies. Apache Cassandra is a trademark of the Apache Software Foundat ion or its
subs idiar ies in Canada, the United States and/or other countr ies.
Why DataStax
The world is changing at a rate we could never have
imagined. Today’s customers are like the applications
they use: digitally empowered, geographically
distributed, radically connected, hyper-informed, and
always on. To thrive in this customer-centric, data-
driven economy, businesses need to rethink the
technology infrastructure on which they are building and
deploying mission-critical cloud applications and move
to a modern, distributed database platform. In doing so,
they can make data the centerpiece of their
organization, build real-time value at epic scale, and
grow effectively and responsibly.
Built on the unique architecture of Apache CassandraÔ,
DataStax Enterprise is the always-on data platform and
has been battle-tested for the world’s most innovative,
global applications.
The DataStax Customer Experience (CX) Data Solution
incorporates the full power of our resources and
experience. The CX Data Solution combines DataStax
Enterprise with partner integration and world-class
consulting/training from experts who have helped
implement some of the largest real-time data
management systems in the world. The two key tools for
addressing critical customer experience needs are
Customer 360 and real-time personalization. Our
solution is designed to help companies get both (C360
and real-time personalization) up and running quickly
and with minimum risk. This enables them to proactively
tackle their CX challenges and bring their CX solutions
to market faster and with greater efficiency, creating
new opportunities to gain market share.
DataStax equips leaders with a customer-centric
understanding of the GDPR’s requirements for cloud
applications, helping them meet the stringent data
security compliance requirements and implementing
security controls for personal data stored in cloud-
based applications.