“Consent is one of the key concepts in GDPR”

The GDPR story is still not over and many developers are still trying to find their steps in this new era. In his talk at Jax London 2018, Michiel Rook talked about the implication of GDPR in event sourcing. He put an emphasis on the history of GDPR and its main principles, namely:

‘Consent’ – As an organization, you need to be able to demonstrate consent in order to process data for an individual.
‘The right to erasure’ – An individual can ask an organization for their data to be removed.

He also discussed strategies for event sourcing needed in order to comply with Article 17, the right to erasure.

JAXenter assistant editor Eirini-Eleni Papadopoulou caught up with Michiel to discuss the main topics of his session, the concept of immutability and how it can complicate things when erasing or anonymizing personal data, as well as his predictions for the future: When will GDPR stop being a challenge for developers?

Here are some quotes from the interview:

We, as an industry, are to blame in part for the way GDPR is written because, even recently, there has been all these data breaches, leaking of data, improper use of personal data and for years nobody really cared.
Even though the GDPR is broad and vague and makes our lives a little bit more difficult, maybe it’s not such a bad thing that our lives are a bit more difficult, that we think a bit more what we do with personal data.
‘Consent’ is one of the key concepts in GDPR; you need to have consent to process data and it needs to be clearly distinguishable from other needs to process data. Consenting to receive newsletters, does not mean you consented to be included in a machine learning algorithm.
If you record the consent in event sourcing and use the event log as an audit log, you can clearly demonstrate that the consent was given, by whom and when.