Automating Data Protection at Scale, Part 3

Part three of a series on how we provide powerful, automated, and scalable data privacy and security engineering capabilities at Airbnb

elizabeth nammour
14 min readbeginner
--
View Original

Overview

This article discusses the automation of data protection at scale within Airbnb, focusing on the Data Protection Service (DPS) and its role in enhancing security and privacy engineering capabilities. It outlines how the DPS integrates various components of the Data Protection Platform (DPP) to automate security actions, validate data classifications, and manage data subject rights requests.

What You'll Learn

1

How to automate security actions using the Data Protection Service

2

Why data classification annotations are critical for compliance

3

How to implement a CI check for database exports validation

4

How to manage data subject rights requests with Obliviate

Prerequisites & Requirements

  • Understanding of data protection laws and compliance requirements
  • Familiarity with API development and integration(optional)
  • Experience with data governance practices(optional)

Key Questions Answered

How does the Data Protection Service automate security actions?
The Data Protection Service (DPS) automates security actions by providing API endpoints that allow stakeholders to query privacy and security metadata. It enables the creation of custom jobs for tasks like generating JIRA tickets and pull requests, thus reducing the operational load on service owners.
What are the levels of data classification annotations defined at Airbnb?
Airbnb defines three levels of data classification annotations: critical, personal, and public. These annotations help in tagging data to apply appropriate access controls and retention limits, ensuring compliance with data privacy laws.
What is the role of Obliviate in managing data subject rights?
Obliviate is a Data Subjects Rights orchestration service that coordinates and tracks requests for data erasure, access, or portability. It propagates these requests to downstream services, ensuring compliance with privacy laws like GDPR and CCPA.
How does the DPS validate database export annotations?
The DPS validates database export annotations through a CI check that runs whenever a database-exports pull request is created. It queries the DPS for the expected privacy classification and compares it with the annotations in the PR to ensure accuracy.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Key Actionable Insights

1
Implementing automated security actions through the DPS can significantly reduce the manual workload on service owners.
By automating tasks like ticket generation and pull request creation, teams can focus on more strategic initiatives rather than repetitive operational tasks.
2
Regular validation of data classification annotations is essential to maintain compliance with evolving data protection laws.
Using automated CI checks can help ensure that any discrepancies in data classification are caught early, preventing potential compliance issues.
3
Integrating Obliviate into your data services can streamline the process of handling data subject rights requests.
By using a centralized orchestration service, organizations can ensure that they respond to user requests efficiently and in compliance with legal requirements.

Common Pitfalls

1
Relying solely on human judgment for data classification annotations can lead to errors.
Service owners may misjudge or overlook certain fields, resulting in incorrect annotations. Implementing automated validation processes can mitigate this risk.

Related Concepts

Data Protection Platform
Data Governance
Data Privacy Laws
Automated CI/CD Processes