The timeline for compliance with the European Union’s General Data Protection Regulation (GDPR) is fast approaching. To help you ensure you’re prepared, we’re hosting an online discussion in advance of May 25th (when the regulation goes into effect). We’ll cover:
The specific requirements of GDPR
How these map to required database capabilities
How MongoDB can provide the core technology foundations to help organizations accelerate their path to compliance
How MongoDB can accelerate a path to GDPR compliance
1. How MongoDB can
accelerate a path to GDPR
compliance
Sig Narváez
Principal Solutions
Architect
sig@mongodb.com
@SigNarvaez
2. Agenda
• GDPR Overview
• GDPR Privacy Requirements
• What does it mean for US
companies?
• Data Management Impacts
• Case Studies
• Ovum research
• Resources and Next Steps
3. Disclosure
For a full description of the GDPR’s regulations, roles, and
responsibilities, it is recommended that readers refer to the text
of the GDPR (Regulation (EU) 2016/679), available from the
Official Journal of the European Union, and refer to legal counsel
for the interpretation of how the regulations apply to their
organization.
4. GDPR Rationale
• How safe is your personal data?
• How is personal data used by the
organizations we choose to share it
with?
• Damage our reputations
• Deny us access to the healthcare or
financial services
• Discriminate against us
• Reduce our autonomy, freedom,
individuality
CyberSecurity Ventures
Fortune, November ‘15
6. What is the GDPR?
• EU General Data Protection Regulation 2016/679
• Enshrines protection & privacy of EU citizen data as a
human right
• Governs how organizations collect, store, process, retain,
and share the personal data of EU citizens
• Applies globally
• If you process data in the EU, or data about the EU
• Enforced from May 25th 2018
• Fines of up to €20m, or 4% of global revenue, whichever is
higher for Major Incidents, and €10m, or 2% for Minor incidents
7. Why is GDPR Necessary?
• Replaces Data Protection Directive 95/46/EC, enacted in
1995
• Implementations varied across EU member states
• Technology has moved on MASSIVELY
• Global reach
• Expands the scope of “personal data”
8. The Increased Scope of Personal Data
• PII as defined by the NIST: Any information that is
linked or linkable to an Individual
Linked: Full Name, SSN, Drivers License, …
Linkable: Job Position, Age Group, …
• Non PII: Data that cannot be used on its own to
trace, or identify a person
Device ID’s, IP Addressed, Cookies, …
PII
Non PII
9. GDPR Article 4 (clause 1)
PD
PII
Non PII
PD definition includes anything that can uniquely
identify an individual, such as a name, an
identification number, location data, an online
identifier, or to one or more factors specific to the
physical, physiological, genetic, mental,
economic, cultural, or social identity of that
individual.
US-based companies: Storing non-PII data per
US definitions could be considered PD data per
GDPR definition
The Increased Scope of Personal Data
10. Key GDPR Demands
• Explicit consent (not by default): what, how long, who with?
• Additional permission if processing beyond purpose of original consent
• Data protection & privacy by design, by default
• Right to be forgotten
• Right to review automated decisions
• Breach notification within 72 hours
• Review data at any time, portability between service providers
• Applicable to any organization processing EU citizen data
11. Key GDPR Roles & Definitions
• Data Subject: EU citizen
• Data Controller: organization collecting the data
• Data Processor: employee or contractor with access to personal data
• Data Protection Officer: employed by an organization to oversee
implementation, answerable to Supervisory Authority
• Supervisory Authority: EU member state (28) body overseeing GDPR
implementation
Data Breach, defined by the GDPR
“‘personal data breach’ means a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorized disclosure of, or access to,
personal data transmitted, stored or otherwise processed;”
13. What’s Needed for Compliance?
What compliance isn’t….
• Turn on a bunch of database
security controls
• BOOM…we’re done!
14. What’s Needed for Compliance?
What compliance isn’t….
• Turn on a bunch of database
security controls
• BOOM…we’re done!
What compliance is…
• People
• Roles, responsibilities, accountability
• Process
• Business practices
• Product
• Technologies to implement controls
Together they accelerate the path
to compliance
15. GDPR Data Protection Requirements
DISCOVER DEFEND DETECT
Identify all PD
in your systems
Implement appropriate
security controls
Monitor to identify suspicious
behavior, remediate gaps
16. Discover Defend Detect
Identify Personal Data Access Control Monitor & Report
Implement Retention Policies Pseudonymisation & Encryption Audit
Resilience & DR
Logging
Data Sovereignty / locality
Mapping Required Capabilities to GDPR
17.
18. Discover
Identification of Personal Data
Data Protection Impact Assessment
GDPR Article 35 (clause 1)
“Where a type of processing in particular using new technologies, and
taking into account the nature, scope, context and purposes of the
processing, is likely to result in a high risk to the rights and freedoms of
natural persons, the controller shall, prior to the processing, carry
out an assessment of the impact of the envisaged processing
operations on the protection of personal data.”
19. MongoDB Compass
The GUI for MongoDB
• Visualize & explore your schema with
an intuitive GUI
• Gain quick insights about your data with
easy-to-read histograms
• Build queries with a few clicks
• Drill down to view individual documents
in your collection
• Rich query language and secondary
indexes for deep discovery
20. Data Governance: Document Validation
Data Governance and Agility of Dynamic Schema
3.2 Document Validation Rules
• Field-level rules beyond basic types and lengths
• Tunable: enforce rules, log warnings, or allow
• Partial document validation – enforce subset of fields
3.6 Full JSON Schema support
• Extends to full document validation
• $jsonSchema can also be used to query for
documents outside compliance of full schema
22. Set schema and search for out of compliance
Find compliant docs:
db.orders.find({
$jsonSchema : {<schema-here>}
});
Find non-compliant docs:
db.orders.find({
$nor : [
{$jsonSchema:{<schema-here>}}
]
});
23. Discover
Retention of Personal Data
“Information to be Provided”
GDPR Article 13 (clause 2a)
“the period for which the personal data will be stored, or if
that is not possible, the criteria used to determine that period.”
24. Automatic Data Erasure:
Time to Live (TTL) Indexes
• Automates the expiry of data from the database
• Define TTL index against a date field, specify the
expiration period
• Background process deletes the document once
retention period expires
• Simplifies enforcement, with lower overhead
25. Manual Data Erasure
• MongoDB allows modifying the shape of any document,
at any point in time.
$unset operator deletes a particular field
• Removing complete documents
.deleteOne() and .deleteMany()
• Remove complete collections or databases
collection.drop() db.dropDatabase()
26.
27. Defend
General Security Requirements
“Security of Processing”
GDPR Article 32 (clause 1)
“….the controller and the processor shall implement appropriate technical and organisational
measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
a. the pseudonymisation and encryption of personal data;
b. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of
processing systems and services;
c. the ability to restore the availability and access to personal data in a timely manner in the
event of a physical or technical incident;
d. a process for regularly testing, assessing and evaluating the effectiveness of technical
and organisational measures for ensuring the security of the processing.”
28. Access Control of the Data
Authentication
• Challenge/Response
• x509 certs, Kerberos
• LDAP
Authorization
• Role-Based Access Control
• User Defined Roles
29. Access Control of the Clusters
Ops Manager
Cloud Manager
Atlas
• Authentication
• Challenge/Response, 2FA
• LDAP (Ops Manager)
• Authorization
• RBAC
• Organizations / Teams / Projects
30. Defend
Pseudonymisation & Encryption
“Security of Processing”
GDPR Article 32 (clause 1)
“…. shall implement appropriate technical and organisational measures to ensure a level of
security appropriate to the risk…:
a. the pseudonymisation and encryption of personal data;”
“Communication of a Personal Data Breach to the Data Subject”
GDPR Article 34 (clause 3a)
Communication of a breach to a data subject is not required if the data is rendered unintelligible,
i.e. via encryption
31. Pseudonymisation: Read-Only Views
• MongoDB allows administrators to define views that
expose a subset of data from the underlying
collection
• Exclude or mask fields
• Reduces risk of sensitive data exposure
• Views do not affect source collections
• Separately specified permissions levels
32. Encryption: In Motion & At Rest
• End to end data encryption
• Data in motion, TLS encryption
• Data at rest in persistent storage and
backups
33. Defend
Resilience & Disaster Recovery
“Security of Processing”
GDPR Article 32 (clause 1)
“…. implement appropriate technical and organisational measures to ensure a level of security
appropriate to the risk, including …:
b. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of
processing systems and services;
c. the ability to restore the availability and access to personal data in a timely manner in the
event of a physical or technical incident;”
34. Resilience: Replica Sets
• Data to be distributed across multiple
independent nodes, no SPOF
• Replica set – 2 to 50 copies
• Self healing
• Data center awareness
• Replica sets address:
• Always-on availability & disaster recovery
• Data durability, consistency
• Maintenance (e.g., HW swaps)
• Workload isolation
Application
Driver
Primary
Secondary
Secondary
Replication
35. DR: Backup with Point-in-time Recovery
• Continuous backups, minimizing
exposure to data loss
• Cluster-wide snapshots of sharded
clusters
• Restore to precisely the moment you
need, quickly and safely with point-in-
time restores
• Automation-driven restores
• Queryable and Encrypted Backups
36. Defend
Sovereignty: Data Transfers Outside of the EU
GDPR Article 45 (clause 1)
“A transfer of personal data to a third country or an international organisation may take
place where the Commission has decided that the third country, a territory or one or more
specified sectors within that third country, or the international organisation in question ensures an
adequate level of protection.”
37. MongoDB Zones
• Partition data across distributed clusters
based on data locality policies
• Adhere to data sovereignty requirements
• If policies change, update the sharding metadata
(zones, ranges) and data is automatically migrated
between shards
• Configure visually from MongoDB Ops /
Cloud Manager
38.
39. Detect
Monitoring &Alerting
“In the case of a personal data breach, the controller shall without undue delay
and, where feasible, not later than 72 hours after having become aware of it,
notify the personal data breach to the supervisory authority....”
“Notification of a Personal Data Breach to the Supervisory Authority”
GDPR Article 33 (clause 1)
40. Monitoring & Alerting
• Over 100+ database-related metrics
• Visualized across charts and
dashboards
• Custom alerts so incidents do not
become emergencies: pushed to
collaboration & management
platforms
• Push telemetry data via API into APM
platforms
41. Detect
Auditing
“....Each controller and, where applicable, the controller's representative, shall
maintain a record of processing activities under its responsibility”
“Data Protection by Design and by Default”
GDPR Article 25 (clause 2)
42. Auditing
• MongoDB Enterprise Advanced audit log records all actions taken against the
database
• Configurable filters (commands, IP, etc) & role-based auditing
43. Reacting to Changes: Change Streams
• Listen for changes in data
• Configurable filters
• Control passed to application layer
• Workload Isolation: Run against secondary
Node
• Security best practices
ChangeStreamsAPI
Business
Apps
User Data
Sensors
Clickstream
Real-Time
Event Notifications
Message Queue
Compliance
Monitoring
Solution
44. MongoDB Services
“.... the appropriate data protection training to personnel having permanent or
regular access to personal data”
“Binding corporate rules”
GDPR Article 47 (clause 2n)
• M310 Security Course
• M102 for DBA’s
• M103 & M122 - Cluster Administration
• MongoDB University public & private training
• MongoDB Global Consulting Services
46. Digital Transformation with MongoDB
UK’s Leading Commercial Property Data Service Drives GDPR
readiness
Problem Why MongoDB Results
Problem Solution Results
Need to develop a new platform for
the company to move from
traditional print media to a digital
business delivering market
intelligence and tools across
multiple online channels
Monolithic application architecture
and rigid relational database
prevented IT team pushing new
updates any more than once per
month
Moved to MEAN stack powered by
a microservices-based architecture in
the cloud
MongoDB Enterprise Advanced for
access to advanced security and
support
MongoDB Encrypted Storage
Engine to support GDPR readiness
GDPR readiness with a much
more agile data platform
Supports 50x more releases per
month, with always on availability
Transformed business: now
digital is driving revenue growth
47. Better prepare for GDPR with DBaaS
Ensure data gathered from Exercise Equipment (IoT) complies
with regulations
Problem Why MongoDB Results
Problem Solution Results
Gather data from exercise
equipment (commercial and
residential). Data collected at
second-level granularity
Desired data storage in EU to
assist with GDPR compliance.
Existing MongoDB DBaaS provider
did not offer the cross-region
replication required to enforce data
locality. Analytics via Workload
Isolation also required.
Migrate from existing DBaaS to
MongoDB Atlas.
Enabled Cross Region Replication.
Enabled read-only nodes and BI
Connector as-a-service to unlock real
time analytics and insights against the
data.
GDPR readiness with a much
more agile cloud-agnostic data
platform putting data where they
need it.
Enable business insight with self-
serve Analytics.
Multinational Manufacturer &
Distributor of Exercise
Equipment (IoT). USA
Subsidiary.
48. Encryption At-Rest for GDPR
Adopted MongoDB Enterprise Advanced for advanced security
Problem Why MongoDB Results
Problem Solution Results
Using MongoDB Community and
3rd party Support provider.
Access to Enterprise tools and
advanced encryption not available.
3rd party options added cost and
complexity.
Encryption At-Rest required for
GDPR compliance.
Adopted MongoDB Enterprise
Advanced for advanced security and
first-class service.
Enabled Encryption At-Rest Storage
Engine with ability to rotate keys as
required and integrate with 3rd party
KMS solutions.
Encryption At-Rest adds to
GDPR readiness.
Strategic relationship with OEM
of data platform: MongoDB Inc.
Leading cloud-based identity
platform. Provides SSO for
various platforms and identity
providers
50. Discover Defend Detect
Identify Personal Data
• MongoDB Compass
• Expressive Queries & Analytics
• Document Validation
• JSON Schema
Access Control
• Authentication (i.e. LDAP, Kerberos)
• Authorization (RBAC)
• IP Whitelisting & VPC Peering
• Organizational Controls for Cluster Access
Monitor & Report
• Real-Time Alerting
Personal Data Retention
• TTL Indexes
Pseudonymisation & Encryption
• Read-Only Views
• Log Redaction
• TLS/SSL Network Encryption
• Encrypted Storage Engine
Audit
• MongoDB Audit Log
• Change Streams
Resilience & DR
• Replica Sets
• MongoDB PIT Backup & Recovery
• Queryable and Encrypted Backups
Data Sovereignty
• MongoDB Zones
MongoDB University, Training & Global Consulting
How MongoDB Supports GDPR
51. MongoDB Atlas and GDPR
Compliance is an on-going process and a shared responsibility
• Cloud-Agnostic
• Uses GDPR-compliant cloud providers
• SOC2 Type 1 Certified
• https://aws.amazon.com/compliance/gdpr-center/
• https://cloud.google.com/security/gdpr/
• https://www.microsoft.com/en-us/TrustCenter/CloudServices/Azure/GDPR
52. Ovum Consulting and Research
• “Developer productivity is the engine that drives the
outcomes of digital transformation initiatives”
• “MongoDB challenges the notion that safety prevents
progress”
• Whitepaper highlights most of the features we
covered today
• www.mongodb.com/collateral/mongodb-takes-steps-
toward-governance-in-the-era-of-gdpr
53. Next Steps
Download the whitepaper
Refer to your legal counsel
for GDPR advice
Engage MongoDB
Consulting
THANK YOU!