GDPR Requirements
Under certain conditions (Article 18 (1)), the data subject has the right to request limited data processing from the data processors.
Resulting Challenge
The following challenges can be derived from the three paragraphs of the article (Article 18):
- Each process must be isolated from the others so that the restriction has no impact on other processes.
- Restrictions applied to a process must not lead to the deletion of data. Hence, separation of data and processes must be applied as consequently as needed.
- The processing must be resuscitable.
Technical Solution Approach
A microservice architecture tailored to the specific use-case tackles all three challenges. In particular, the data service (usually a database) must be isolated from others. With the help of a fine-granular microservice architecture, processing components can be isolated from each other. This allows to restrict processing. If it is not possible to implement a microservice architecture, it is advisable to encapsulate the processes using standardized interfaces (e.g. REST). Each processing component should have its own separate interface. Data is stored isolated in separate databases (Alpers et al. 2015). By means of user access control, restricted processing can be enacted.
Checklist
- Is stopping of a single service free of side effects (for other services)?
- Is each service component (process) encapsulated by an API?
- Is the database independent of the services?
- Can a service component (process) recover its previous state and continue processing as expected?
- Is there a user access control to restrict processing?