[Recipe] GDPR compliance

[slashdotdash]

How to comply with GDPR regulations which require personally identifiable information (PII) to be removed upon request. This is problematic with immutable, persistent event streams.

There are three possible solutions:

"Crypto-shredding"

PII data is stored encrypted in events and decrypted on read. The encryption key can later be "forgotten" to prevent decryption. Not being able to read the PII data is equivalent to having deleted the data.

• Eventsourcing Patterns: Crypto-Shredding

External PII data store

Use a mutable data store, such as a SQL database, for all PII data and only store a reference to the external data store within your events. PII data must be read from the external store when events are read. PII data can be deleted from the external store. Attempting to read deleted PII data will return an appropriate error to indicate it has been removed.

• Eventsourcing Patterns: Forgettable Payloads

Mutable events / streams

Allow events or streams containing PII to be updated or deleted.

Note: EventStore has support for hard deleting streams.

[xtagon]

Are there any quirks/side effects/caveats with regards to event handlers and process managers after hard deleting a stream via commanded/eventstore#203 ?

For example, if a process manager is holding state for a process that depends on events from a hard deleted stream, does it stop the process automatically? And how would you delete data that projections/handlers persisted--is there a "HardDeletedEvent" they need to listen for to clean up?