CompanyMay 25, 2018

DigitalRights 360: How DataStax Helps Enterprises Comply with the GDPR

Martin James
Martin James
 DigitalRights 360: How DataStax Helps Enterprises Comply with the GDPR

Citizens’ Data Rights

With the implementation of the European Union’s General Data Protection Regulation (GDPR), a sweeping legislation designed to better protect the personal data of EU citizens, data controllers and processors now have many new obligations, and EU citizens now how many new rights and new power regarding their data.

As citizens, we create data trails all day, every day; we click through terms and conditions without really reading them every time we use a wifi hotspot, visit a website, make an online purchase, and so on. Since the GDPR gives EU citizens a plethora of new rights regarding their personal information, it is important for enterprises to have systems in place that make it easy to service consumer requests. Most enterprises today cannot even tell us all the data they have collected about us, let alone provide the type of visibility and control outlined by the GDPR legislation.

This blog examines the demands today’s cloud applications put on enterprises needing to comply with the GDPR, especially around EU citizens’ rights as ‘data subjects’ whose data is held by a company or organization.

Cloud Applications and the Data Labyrinth

“Disrupt or be disrupted” has become the mantra of almost every enterprise on the planet, and the past several years have ushered in a digital transformation race to build instantly available and always on cloud applications that significantly improve customer experience. These applications gather and analyze as much data as possible as quickly as possible, across various touchpoints, each of which adds to the growing amount of data that enterprises store and process about their customers.

As customers, we love the improved convenience and speed of our new apps, and the fact that we can use them anywhere and at any time. But for companies, the increasing number of customer touchpoints across different applications, departments, geographies, and systems has created a massive volume of data that it can hard to sort through.

As an example, let’s look at the all the data generated from a pretty typical smartphone purchase:

  • We go into a retail shop to check out the new phones on display. As we enter the shop, a salesperson asks for our number and enters it on their mobile device. We handle all the new devices but leave without making a purchase. After all, we want to ensure we get the lowest price possible, and we know that information is available online.
  • When we get home we visit our provider’s website and read reviews about the two phones we are interested in. We are logged into the site, and our site activity preferences are collected.
  • We decide to make a purchase and choose a phone with an associated rebate. Using a separate application that collects and stores our credit card data, we complete the purchase.
  • As we check out, we are prompted to confirm the shipping address. We decide that we want it shipped to the office for convenience, so we enter a new address that wasn’t previously in the system. Now the phone company has our work and home addresses stored. We also update our shipping preferences and settle for a five-day delivery to avoid the extra charge.
  • After checkout, the phone company emails us a link to a different system to generate the rebate certificate offered by a third-party provider. Without reading them we agree to the terms and conditions, which ask us if it’s okay to share our data with that third party.
  • A few weeks pass, and we love the new phone. We have a business trip planned oversees, so we log back into our provider’s site and select a new data roaming plan that will allow us to get cell and data service in the countries we are planning to visit.
  • During the business trip the provider collects and stores information on where we go, how much we use the phone, and which applications we access. A couple of the countries we visit are outside of the EU and not governed by GDPR legislation.
  • During the trip we also take advantage of a perk provided by phone company to use wifi hotspots for free. Each time we log in to a different hotspot, we share our data with the third-party entity providing the wifi access. There are multiple providers, and the telecommunications company has deals with all of them around data sharing.

And on and on, each right-now moment generating more and more data stored in an ever-growing number of systems; a labyrinth of data collection.

Helping Citizens While Building New Value in the Data Labyrinth

My family recently experienced what happens with the data labyrinth and how it manifests itself for customers. Everyone reading this can probably relate.

My wife has had the same mobile number for over 20 years now, and has been very loyal to her mobile phone provider. Over the span of 12 months she received four texts thanking her for her on-time payment, after which she received a message saying that in fact she hadn’t paid her bill (she had) and that the mobile phone company would be restricting her service.

Clearly this company doesn’t have a 360-degree view of my wife’s digital interactions and all her account information.

Also, even though our family has four lines from this same provider, we’ve never been approached as a whole family, only as individuals. Again, this shows that the provider isn’t connecting the dots and doesn’t have a holistic view of the entire family.

And in not having a holistic view, the company is missing out on the opportunity to both create a better overall customer experience and to upsell my family as a whole on additional products that we might benefit from as a family unit.

Figure 1: This phone company clearly doesn’t have Customer 360.

But how can the telecommunications company disentangle the data labyrinth to ensure it has the complete picture of our data so that it can ensure it will be in compliance with the GDPR and avoid significant new data privacy violation fines outlined in the GDPR?

The answer is below — but first it would be beneficial to understand just how valuable our data has become, since it has, in fact, become the product itself. And from this, we will see that we can actually multiply business value for customers.

We Are the Product

"We’ve never believed that these detailed profiles of people that have incredibly deep personal information that is patched together from several sources should exist,” said Apple CEO Tim Cook. “The truth is, we could make a ton of money if we monetized our customer—if our customer was our product. We’ve elected not to do that."

Over the past 20 years, the migration of our lives onto the web through personal and mobile computing has made companies like Amazon, Facebook and Google amongst the most powerful entities in the world, allowing them to generate tens of billions of dollars by selling our personal data to marketers for highly targeted advertising.

Indeed, we’ve simply handed our personal information to these companies without even really being conscious of it or considering the ramifications.

It is in this environment that the GDPR was born, and while it will place a burden on companies and how they use our data to conduct business, it is designed to protect us, the citizens.

Our Digital Rights

As evidenced by the unfolding Facebook data privacy scandal, it’s easy to see why our data rights are so important. One gets the impression that the Facebook debacle is just the tip of the iceberg and harbinger of more scandals illustrating how we and our data have become productized. Thus, it’s important to spell exactly what EU citizens’ new rights are under the GDPR:

1. Transparency

Transparency and choice are the two cornerstones of the GDPR. Companies now must be as clear as possible on how they process data, which organization or entity will process it, and where that data could end up.

2. Access

As data subjects, we will have the right to look into the use of our data by companies and ensure that it’s being used appropriately, and companies will need to have the ability to prove to us that our data is being processed and provide access to all of that data and also any additional information they may have about us.

3. Rectification

The GDPR obligates companies to quickly rectify any data inaccuracies called out by EU citizens.

4. Deletion

Known as “the right to be forgotten”, if an EU citizen asks a company to delete any or all of their personal data, the company must quickly comply.

5. Processing

Likewise, organizations must stop processing data on anyone who requests it and subsequently must always ask for permission to use that data in any way.

6. Portability

EU citizens have the right to request and reuse with other parties any personal data held by a business.

7. Objections

EU citizens have the right to object to their data being used for marketing purposes, and companies must swiftly comply with this request.

8. Automation

EU citizens can ask to not be subject to automation or profiling, in which organizations analyze their demographics, purchasing habits, or location to develop rules of automatic interaction.

Considering all of the above, companies today need an extremely robust picture of customer data and how they are using it, and the best way to create this picture is via a graph database, but not just any graph database.

DataStax Enterprise Graph - The Complete Picture

For companies to be able to guarantee our digital rights as EU citizens, they absolutely must be able to access a complete, holistic picture of us in real time, any time they need to do so.

And that’s where DataStax Enterprise (DSE) Graph comes in:

  • DSE Graph is an optional add-on to DataStax Enterprise, the always-on, distributed cloud database built on the best distribution of Apache Cassandra™ and designed for the hybrid cloud
  • DSE Graph makes it easy to attain a 360-degree view of every customer and access that information in easily digestible formats.
  • DSE Graph requires minimal effort to explore relationships between users or identify groups of users that share similar behavior.
  • With DSE Graph, previously hidden relationships become instantly visible and actionable, making make it much easier for companies to comply with the GDPR and service data requests of all types.

DataStax Enterprise Graph was specifically designed to consume vast amounts of data and make it visible in real time, giving companies and their EU citizen customers peace of mind in age of the GDPR.

An addition to GDPR compliance, enterprises stand to gain enormous benefits from ‘connecting the dots’ of their data to drive better customer service and offerings.

Learn more about DSE Graph here.

About DataStax

DataStax powers the Right-Now Enterprise with the always-on, distributed cloud database, built on Apache Cassandra™ and designed for hybrid cloud. The foundation for real-time applications at massive scale, DataStax Enterprise makes it possible for companies to exceed expectations through consumer and enterprise applications that provide responsive and meaningful engagement to each customer wherever they go. Our product also gives businesses full data autonomy, allowing them to retain control and strategic ownership of their most valuable asset in a hybrid cloud world. DataStax helps more than 400 of the world’s leading brands like Capital One, Cisco, Comcast, eBay, McDonald’s, Microsoft, Safeway, Sony, UBS, and Walmart transform their businesses through right-now applications focused on enterprise optimization and customer experience. For more information, visit and follow us  @DataStax.






One-stop Data API for Production GenAI

Astra DB gives JavaScript developers a complete data API and out-of-the-box integrations that make it easier to build production RAG apps with high relevancy and low latency.