GDPR-compliant Journal

[guersam]

Eventsourced applications only append events, and it makes meeting privacy requirements like GDPR even more difficult. As many eventsourced applications deal with confidential information, it will be really great to have a GDPR-compliant journal.

For example, there is akka-gdpr module for akka persistence as a part of Lightbend subscription:
https://doc.akka.io/docs/akka-enhancements/current/gdpr/index.html

GDPR for Akka Persistence modules include APIs to help you achieve the following:

• Identify data associated with a particular subject (person). One of the most important concepts in GDPR is the “data subject id”. In Subject identifiers we offer some advice on selecting the right way to represent such identifiers.

• Achieve the “right to forget”. Data shredding can be used to forget information in events. This involves encrypting events with a key for a given data subject id and deleting the key when that data subject is to be forgotten. The section Shred or delete? goes into further detail about shredding and Using akka-gdpr explains how the akka-gdpr module works and general steps for using it.

• Retrieve events related to a particular subject (person). You can use an eventsByTag query to retrieve all events tagged with a given data subject id.

• Add an encrypted ID to existing data. With existing systems that do not currently comply with the new GDPR requirements, you can use akka-persistence-update to transform events in-place in a one time migration and to delete or update snapshots that may contain personal information. These techniques are described in the Migrating existing data section.

I'm willing to implement it by myself if it's not your priority. Could you give me advice about where I could start?