fbpx Skip to main content

Three Pillars of Compliance in Databases: Data Retention, Purging, and Consent

Abstract:

Numerous data governance laws and policies have been enacted to protect user privacy. Polices may define data retention (how long the data must be kept), data purging requirements (when the data must be destroyed), and data consent (whether the data can be used for a particular purpose). To comply with these requirements and to minimize liability, database systems (e.g., Oracle, Postgres) must offer built-in support to enforce storage and use policies. Instead, such compliance is currently achieved through a patchwork of manual solutions within each organization. In this talk, we will consider legal, policy, and technical perspectives to the challenges of enforcing data storage and use governance policies. We will discuss the current state-of-the-art approaches to facilitating compliance in organizations and the difficulties encountered in understanding and interpreting polices. We will present database implementation approaches that can enable policy compliance without disrupting current business processes. Although we will touch on all aspects of data governance, our primary focus will be on challenges that are yet to be clearly defined: 1) proof of retention compliance, 2) the inherent conflict between data backups (which archive and preserve data) and data purging requirements, and 3) the support for data consent compliance, which restricts the access to data depending on user’s purpose in accessing that data.