Your browser has Javascript disabled. Please enable it to use this site. Hide this warning

  • Blog:

  • Home
  • Ably News
  • Ably Engineering
  • Realtime APIs
  • Hardest Aspects of Realtime Engineering
  •  •  4 min read

    How to stay GDPR compliant - 5 key updates to consider and this is why


    If your business is operating within the EU, it’s time you pause and find out how the new EU data regulation might be affecting you.

    On 25 May 2018, the EU General Data Protection Regulation (GDPR) will start to apply. If your customers are in the EU, the way you manage their data and personal information is about to change. Anyone within the EU borders at the time their personal data is processed and used, will become a subject to the new data protection act. This also applies for EU personal data handled by companies based anywhere in the world.

    EU Only Data Storage

    If you are processing and storing any personal data when sending realtime updates, you need to review where this data gets stored. One of the first things to do is find out where does your realtime provider have it’s data centers.

    Unless the third party provider meets specific requirements such as being located in a country that is certified by the European Commission, all data obtained within the EU must remain within its borders. In addition, your customers have the right to request that their personal data stays within the EU.

    The best way to deal with your realtime compliance is by making sure that your data is stored in servers located within the EU. This should apply for both permanently stored data and also transient messaging activity.

    The team at Hospify, based in the UK, built a GDPR compliant chat app and chose a full enterprise solution to limit all message transition and storage within the EU.

    Read more about how Hospify is using Ably to stay compliant in the following case study.

    Data Privacy & The Right to be Forgotten✂️

    Individuals within the EU will be able to request to have their data deleted. This means that all companies have a certain timeframe by which they need to make sure they have removed all personal information related to an individual. Any third parties that are using this personal information will also need to be notified and must remove all data intended for it’s primary use.

    This is why it’s important to take precautionary measures and make sure you delete irrelevant information as soon as possible. This can be done by putting in place procedures that help identify the relevance of the information and make sure it’s deleted once it becomes irrelevant to its original intended purpose.

    In the specific case of realtime data processing, reviewing how you manage your message history becomes paramount. This data is also under review and you need to make sure that you are able to audit your message history to ensure compliance with this regulation.

    At Ably, we delete all messages automatically within 2 minutes however if you are using the message history feature then messages might be typically stored for 24–72 hours on disk. We automatically delete all message history after this period which allows you to stay within the regulatory guidance and still be able to reap the benefits of this feature.

    Data Processing ?

    The EU regulation identifies two parties that handle personal data information and you need to know where your company fits.The Data controller is an entity that determines the purpose, conditions and means of processing personal data while a Data processor is the entity that processes the personal data on behalf of the controller.

    The new regulation sets forward additional requirements for data processing. Necessary agreements must be put in place between both parties before processing any data on behalf of the other if they contain personal information.

    At Ably we have the role of data processor and carry the responsibility of processing personal data on behalf of our customers. As a realtime data delivery platform we never inspect the data we transport and act simply as a data transporter. The data in transit is not stored on disk unless the message history is enabled by a customer, therefore messages are kept in memory only while in transit.

    Security & Access Control ?

    The security of data containing personal information must be kept to a higher standard. In order to avoid any irregularity, you need to make sure you send all realtime data over TLS (Transport Layer Security) which avoids any interception when messages are in transit to data centers. This means that the message payload can’t be decrypted unless you share your secret key.

    At Ably, we make sure our client libraries have native support of AES 256, 192 and 128 bit encryption, which provides extra security for all our customers. This allows for all messages to get automatically encrypted before they arrive on our realtime platform. We intentionally do not manage any distribution of keys between clients and an end-to-end encryption is enabled without exposing keys to our realtime service at all.

    Data Breach Notification ☢️

    According to GDPR article 28, compliant contract terms should be put in place for companies that process personal data information. You need to make sure that you have put in place a process that allows you to detect, investigate and report a data breach within 72 hours.

    In case of an actual data breach you will need to inform all individuals with the extent of the personal data details that have been compromised. This means that as a data processor we are also committed to notifying our customers, incl. the data controllers without any delay once we become aware of a data breach.

    What should you do next?

    Map your Data and Information Flow

    If you are processing any type of data you will need to complete a data protection impact assessment (DPIA) by mapping out your data and information flow to assess the privacy risk. This will enable you to be prepared to handle all the required data regulations related to this legislation.

    Enable Withdrawal of Consent

    All your customers must be able to withdraw their consent of having their personal data processed at any point of time. In order to make sure you comply, it’s worth revisiting all your customers information before the data protection act goes in effect and ensure their consent of usage.

    If you would like to find out more on how to make sure your realtime updates are GDPR compliant or have any other questions feel free to get in touch.


    **Note that the above list of regulative updates is not extensive and should not be used as a legal advice.