Data Engineering Meetup: GDPR from a Technical Perspective

The General Data Protection Regulation (GDPR) will become effective on May 25 this year. As a result, the industry is applying both small and large changes to the way they process their data. To help the local community learn more about GDPR and its implications, we co-hosted the second Data Engineering Meetup in Oslo last week with more than 120 attendees.

The first talk, given by Graham Moore from Sesam, discussed how to bridge the gap between analysis and implementation. Graham explained how to think about the process of fulfilling GDPR restrictions and what is the real goal. He explained the most important articles of the regulation including right to access, data portability, rectification, consent and last but not least, the right to be forgotten. It was pointed out that GDPR is a continuous process and is never done, because the nature of consent and contracts change, same as systems that hold them. Moreover, Graham presented a potential high-level architecture of a GDPR solution as well as the end-to-end process with possible fields for automation based on one of the products his company works on.

Next speaker, Narasimha Raghavan Veeraragavan of Schibsted, presented data lifecycle management systems. The talk started with a recap of GDPR roles: data subject, data controller, data processor, and supervisory authority, as well as previous rights of data subjects including right to access and right to erasure. Narasimha continued with the technical challenges he faces at work on a daily basis, with regards to access and erasure. This mainly included resolving data dependencies and deletion logic. Schibsted’s approaches for solving those problems were presented including their topic-based system called Privacy Broker.

The third speaker was Andy Petrella from Kensu, who discussed data science governance. He introduced the audience to the governance of data and emphasized how many new things we can still discover on top of data activities. Then, he continued with the importance of the data pipeline in the process of decision making. He pointed out how important it is to know the original source of your data and what anxieties we have to tackle. In the end, Andy mentioned that both accountability and transparency can be more easily achieved with an automated process registry, which is the main product of his company.

The penultimate speaker, Torgeir Hovden from Signatu, focused his presentation on the consent and data ecosystem. His talk started with a short history of data processing related milestones in the software industry and continued with emphasizing the main point of GDPR: “It’s forbidden to process the data, unless you have permission”. Torgeir also presented a very interesting demo of Google Analytics consent on data collection embedded in the website.

Last but not least, the final speaker was Jens Christian Gjesti from the law firm, Kvale, who discussed what responsibility we have for the software and systems we use. Jens started by clarifying some common misconceptions about GDPR. Then, he continued with what is required to be GDPR compliant and presented the law interpretations and details. Moreover, he presented what GDPR holds us responsible for: accountability, lawful processing, its technical meaning, and how to prove this. One of the main points made by the speaker was that using 3rd party system (e.g. Facebook page) does not free you from responsibility for your sensitive data.

A lot of great content was discussed at this event, and we hope others felt better informed about GDPR and its technical implications. Of course, stay tuned for the next Data Engineering Oslo Meetup event!