TECH N I CAL Fl ELD

The invention relates to methods, computer systems and computer program products for managing personal data in a microservice architecture.

PRI OR ART

A microservice architecture is a software architecture wherein an application is built up from a collection of interacting microservices. This improves the modularity, clarity, development and testing of software. Different autonomous teams can independently develop and test microservices.

A microservice is controlled by its environment, i.e. other microservices or a user. A microservice can be linked to an event log, to which a microservice can add events. Through the exchange of events, the microservices become an interacting whole. The events can be distributed by a message broker.

Data changes can be added to the event log ('event sourcing'). In this way a complete history of data changes is created, on the basis of which the current situation can be determined. A reference point can be created at regular intervals, so that not all changes have to be traced to the absolute beginning in order to build a given state. The event log comprises the complete history of data changes, which is advantageous because an audit trail is left behind, so that the origin of a failure can easily be detected, which is further advantageous to put the system back into operation in the event of a failure. Edge computing is often used for internet-connected devices (Internet of Things (loT)). In edge computing, data from a device is processed near the device, for sending the data and/or processed data over a network. This is advantageous because in this way the complete data originating from the device does not need to be transmitted over the network, and/or the data to be transmitted can be encrypted and/or anonymised. The General Data Protection Regulation (GDPR) comprises various articles to protect personally identifiable information (Pll). Article 17 of the GDPR concerns the right to erasure. Article 20 of the GDPR states that personal data must be transferable between two data processing systems. Article 25 of the GDPR states that privacy must be built into a software program as standard and intentionally. However, the use of Event Sourcing (ES) in a microservice architecture makes it difficult to comply with Article 17 of the GDPR. Modification of a personal data item is a data change, which is difficult to erase once the data change has been added to the event log.

US 2010/0 199 098 describes methods and devices for protecting personal data by decoupling the user identity. An anonymous token is associated with each user that is decoupled from the user identity. Personal data is stored in association with this anonymous token. However, the document does not describe a microservice architecture or event log.

US 2016/0 232 624 describes microservice software components (MSSC) for managing events related to food. The document discloses that in an embodiment, a microservice software component can manage a consumer's privacy policy (which also includes access to their profile) and wherein another microservice software component may contain relevant information about an event related to food. However, the document does not disclose an event log.

US 2017/0 060 574 discloses a system for edge computing. The document also mentions the use of a microservice architecture. The document also mentions processing patient data at the source to optimise services and privacy. However, the document does not disclose managing user data.

The present invention aims to solve at least some of the problems mentioned above.

BRIEF SUMMARY OF THE INVENTION

In a first aspect, the present invention relates to a method for managing personal data, according to claim 1. In a second aspect, the present invention relates to a computer system for managing personal data, according to claim 12.

In a third aspect, the present invention relates to a computer program product for managing personal data, according to claim 13.

The use of m icroservices provides a scalable data processing system. In addition, different m icroservices can be developed and tested separately by different independent teams. The use of event sourcing (ES), in which data changes are recorded in the event log, is advantageous for the responsiveness, the autonomy of the m icroservices, the scalability and the performance. In addition, in that case an event log comprises an audit trail so that the origin of a failure can easily be detected, in addition to the fact that the system still comprises all events to put it back into operation. The use of ES, however, makes compatibility with Article 17 of the GDPR difficult.

The present invention is advantageous because personally identifiable information (PI I) is managed in a separate user database by a first microservice. When a personal data item is changed, this first microservice adds a change event to the event log. This change event comprises a code but does not comprise personal data. A message broker can send a message about the change event to another, second microservice. The second microservice can detect the message and request the modified personal data item from the first microservice using the code. Because the personal data itself is stored in a state database (the user database) instead of an incremental data change database (audit trail), it can easily be deleted, and is completely in accordance with Article 17 of the GDPR.

In this document, changes may concern overwriting, adding, or deleting. If a personal data item was removed, the first microservice can deliver to the second microservice an indication of the removal when requesting the personal data item. Alternatively, or additionally, the change event may comprise an indication that it concerns a deletion. BRI EF DESCRI PTI ON OF THE DRAWI NGS

Figure 1 shows a schematic representation of a system according to a preferred embodiment of the present invention. The system comprises m icroservices (5, 6, 7) and various databases (4, 9, 10, 10')-

DETAI LED DESCRI PTI ON

The invention relates to a method, a computer system and a computer program product. The invention was summarised in the section provided for this purpose. In the following, the invention is described in detail, preferred embodiments are explained, and the invention is illustrated by way of examples.

Unless otherwise defined, all terms used in the description of the invention, including technical and scientific terms, have the meaning as commonly understood by a person skilled in the art to which the invention pertains. For a better understanding of the description of the invention, the following terms are explained explicitly. In this document, 'a' and 'the' refer to both the singular and the plural, unless the context presupposes otherwise. For example, 'a segment' means one or more segments.

The terms 'comprise', 'comprising', 'consist of, 'consisting of, 'provided with', 'have', 'having', 'include', 'including', 'contain', 'containing' are synonyms and are inclusive or open terms that indicate the presence of what follows, and which do not exclude or prevent the presence of other components, characteristics, elements, members, steps, as known from or disclosed in the prior art. In a first aspect, the present invention relates to a method for managing personal data. A data storage system comprising one or more tangible non-transitory computer-readable storage media is provided. An event log and a user database are provided on the data storage system, the user database comprising a plurality of personal data items. The method further comprises the steps of changing a personal data item of the plurality of personal data items in the user database; adding to the event log a change event comprising a code; sending a message regarding the change event, the message comprising the code; and requesting, based on the message, the modified personal data item from the user database using the code.

In a second aspect, the present invention relates to a computer system for managing personal data. The computer system comprises one or more central processing units (CPUs), as well as a data storage system comprising one or more tangible non-transitory computer-readable storage media. The data storage system comprises an event log and a user database. The user database comprises a plurality of personal data items. The computer system is configured to perform a first microservice and a second microservice on at least one of the one or more central processing units. The first microservice is configured for changing a personal data item of the plurality of personal data items in the user database; adding to the event log a change event comprising a code; and looking up and supplying a personal data item based on a code. The second microservice is configured for detecting a message regarding a change event, the message and the change event comprising the same code; and requesting a modified personal data item from the user database from the first microservice using the code from the detected message. In a third aspect, the present invention relates to a computer program product for managing personal data. The computer program product comprises a tangible non- transitory computer-readable storage medium comprising a first and a second set of instructions for execution on a computer system. The computer system comprises one or more central processing units and a data storage system comprising one or more tangible non-transitory computer-readable storage media. The data storage system comprises an event log and a user database. The user database comprises a plurality of personal data items. The first set of instructions comprises instructions for changing a personal data item of the plurality of personal data items in the user database; then adding to the event log of a change event regarding the modification of the personal data item, the change event comprising a code; and looking up and supplying a personal data item based on a code. The second set of instructions comprises instructions for detecting a message regarding a change event, the message and the change event comprising the same code; and requesting a modified personal data item from the user database by calling the instructions of the first set of instructions for looking up and supplying a personal data item based on the code of the detected message. A person having ordinary skill in the art will appreciate that the method is implemented in the computer program product and executed using the computer system. In what follows, the three aspects of the present invention are therefore treated together.

The present invention is advantageous because personally identifiable information (PI I) is managed in a separate user database by a first microservice. When a personal data item is changed, this first microservice adds a change event to the event log. This change event comprises a code but does not comprise personal data. A message broker can send a message about the change event to another, second microservice. The second microservice can detect the message and request the modified personal data item via the first microservice using the code. The user database is a state database and not an audit trail, allowing personal data to be easily deleted, in accordance with Article 17 of the GDPR. Because the user database is a state database, personal data can also be easily exported, in accordance with Article 20 of the GDPR. Preferably, the event log is an append-only database, it only being possible to add events, but not change or delete them.

In this document, changes to a personal data item may concern overwriting, adding or deleting. If a personal data item is removed, the first microservice can deliver to the second microservice an indication of the removal when requesting the personal data item. Alternatively, or additionally, the change event may comprise an indication that it concerns a deletion. Sending a message regarding a change event may involve performing a query on the event log. Based on this query, events that are relevant to the second microservice are filtered. Preferably, this query is performed by a message broker which filters out the relevant events for the second microservice. In a query performed by a message broker, the second microservice is notified about the change event by the message broker sending a message about the change event to the second microservice.

Preferably, adding and detecting events in the event log is managed with Command and Query Responsibility Separation (CQRS), which ensures the filtering out and/or detection of events in the event log without altering the event log. Preferably, microservices communicate via a hypertext transfer protocol (HTTP) resource application programming interface (API). Herein, the second microservice requests the modified personal data item from the first microservice via an HTTP resource API, whereby the code is delivered to the first microservice via the HTTP resource API. This is advantageous because an HTTP resource API allows interacting microservices to be developed in different programming languages. Moreover, an HTTP resource API is simple and does not require many computer resources. In a preferred embodiment, the user database comprises a plurality of users. A user of the plurality of users comprises one or more personal data items. A non- exhaustive sample list of types of personal data comprises: an address, a bank detail, a bank card detail, a message on a social network site, a biometric data item, an email address, a photograph, a date of birth, a place of birth, an IP address, a registration number of a vehicle, a login name, a name, a passport number, a national register number, a social security number, a criminal record, a telephone number, a fingerprint, a first name, financial information, genetic information, medical information, training information and employment information. Preferably, the code is linked one-to-one with a user. The change event can in this case include both the code and a type of personal data.

The code can be any anonymous form of identification. The code can be used to store data, e.g. by the second microservice, in an anonymous manner. If the data and the code are read, a reader will not learn any personal data related to the data or code.

In a preferred embodiment, a hash table is provided on the data storage system, the hash table being suitable for converting codes into lookup codes. To obtain the modified personal data item, the code (of the change event) is converted into a lookup code using the hash table. The modified personal data item can then be obtained from the user database with the help of the lookup code. This conversion can be performed by the second microservice. Preferably, this conversion is performed by the first microservice, and the second microservice passes the code to the first microservice when calling the instructions for looking up and supplying a personal data item . In an embodiment, each microservice comprises a microservice-specific hash table for converting a microservice-specific storage code (e.g. the lookup code for the first microservice) into a micro-service universal code (e.g. 'the code'). The microservice-specific storage code can be used to store data on the data storage system, e.g. in a database of the microservice. The microservice universal code is used for communication between the various microservices. If the microservice- specific hash tables are stored separately from the corresponding database or encrypted, this results in an additional decoupling of data stored by different m icroservices.

In a preferred embodiment, the user database comprises the personal data items in encrypted form. In this preferred embodiment, the first microservice has access to a database comprising an encryption and/or decryption key. Preferably, this database is physically separated from the user database. Changing a personal data item by the first microservice in this case comprises encrypting the modified personal data item; and introducing (storing) the encrypted personal data item into the user database. In this case, looking up and supplying a personal data item by the first microservice comprises reading the encrypted personal data item from the user database and decrypting the encrypted personal data item.

In a preferred embodiment, the computer system comprises a device associated with a user. This device may, for example, concern an Internet of Things (loT) device. To protect the privacy of the user as well as possible, the data of the device is processed before it is sent via the internet to the data storage system. In this edge computing, the raw data is converted into processed data. The processed data may concern compressed data, calculation results, a trigger based on the raw data, anonymised data and/or encrypted data. The processed data can then be stored on the data storage system in conjunction with the code or a microservice-specific code that is one-to-one linked to the user.

A person having ordinary skill in the art will appreciate that in the previous preferred embodiment, the computer system comprises several central processing units, and that these can be physically separated from each other. A microservice can be carried out on a central processing unit that is responsible for the data processing near the loT device (edge computing device). On another central processing unit of the computer system, another microservice may be carried out for further processing of the received processed data for storage in the data storage system. Analogously, the data storage system may comprise a plurality of tangible non-transitory computer-readable storage media, which may also be physically separated from each other. When different m icroservices are carried out on central processing units that are themselves physically separate from each other, a person having ordinary skill in the art will appreciate that a tangible non-transitory computer-readable storage medium can correspond with each group of central processing units at a given location. Further, the data storage system may also comprise cloud-based tangible non-transitory computer-readable storage media. Furthermore, the computing power of the computer system can also be partially or completely taken care of by cloud computing. When storing data on a cloud-based tangible non-transitory computer-readable storage medium, the data is preferably encrypted. Even more preferably, the whole is configured so that only the microservice that encrypted the data and stored the encrypted data on the cloud- based tangible non-transitory computer-readable storage medium is capable of decrypting the data, according to the principle of least privilege.

ALTERNATI VE EM BOD I MENTS

The preferred embodiment as described above provides a first microservice that manages the plurality of personal data items in a state database (the user database), which is advantageous to be in accordance with Article 17 of the GDPR.

In an alternative embodiment, the plurality of personal data items can be stored by data changes in the event log (event sourcing). This has the advantage that the second microservice does not have to request the modified personal data item from the first microservice. However, this has the disadvantage that the removal of personal data from the system is difficult. Manipulating events in the event log can cause inconsistencies or reduced performance. The preferred embodiment as described above provides that other m icroservices (e.g., the second microservice) request personal data from the first microservice on the basis of necessity. These microservices do not store personal data locally, except for a (hashed) code to be able to request a personal data item of a user. When a personal data item of a user is changed, the first microservice in the preferred embodiment as described above adds a change event to the event log. This change event includes the code related to the user and preferably also the type of personal data item that has been changed as well as an indication of whether the personal data item has been added/overwritten or has been deleted. A message broker can then send a message concerning this change event to the second microservice, the message including the code. In an alternative embodiment, the first microservice can change the personal data item, without adding a change event to the event log. The other m icroservices must then regularly request a personal data item to check whether a change was made.

In yet another alternative embodiment, the first microservice adds a change event to the event log, the change event comprising the modified personal data item, and the change event having a limited lifespan, i.e., the change event only being present in the event log for a certain time. The message from the message broker can then also comprise the modified personal data item, and the second microservice no longer has to request the changed personal data item from the first microservice. Moreover, the whole is in this way also in accordance with Article 17 of the GDPR.

In what follows, the invention will be described by way of non-limiting examples illustrating the invention, and which are not intended to and should not be interpreted as limiting the scope of the invention.

EXAMPLES

EXAMPLE 1 : CLOUD-BASED DATABASES PER Ml CROSERVI CE

Figure 1 shows a schematic representation of a system according to a preferred embodiment of the present invention. The m icroservices (5, 6, 7) of a set (1) of interacting microservices each have their own database (9, 10, 10') on a cloud- based tangible non-transitory computer-readable storage medium (3). Only the microservice corresponding to a database can read (31, 33, 33') and write (30, 32, 32') to this database. The microservices (5, 6, 7) can request data (50, 51, 50', 51', 50", 51") from each other. Furthermore, the microservices (5, 6, 7) can also interact asynchronously via a message broker. A user microservice (5) is coupled to an event log (2) comprising events (8, 8', 8", 8"', 8""), and can add (40) and request (41) events from the event log (2). If an event relevant to another microservice (6, 7) is added to the event log (2), the message broker can filter out this event and send (43, 43') a message concerning the event to said other microservice (6, 7). This message may comprise the event itself, a reference to the event, and/or a processing of the event.

The user microservice (5) manages a user database (9) comprising a plurality of users. A plurality of personal data items is associated with each user (12), such as e.g. a photograph (13), a name (14), an address (15), an email address (16) and a telephone number (17). The user database (9) comprises the personal data items in encrypted form. The user microservice (5) can request (34) and obtain (35) an encryption key and/or decryption key from another database (4) to encrypt and/or decrypt the personal data. Preferably, each database (9, 10, 10') associated with a microservice (5, 6, 7) is encrypted in such a manner. The interaction (50, 50', 50", 51, 51', 51") between the microservices is preferably based on a HTTP resource API. Preferably, adding and requesting events to/from the event log (2) are separated from each other as in CQRS-based systems.

A user wishes to change a personal data item. They log into a website for entering this change. The website here forms an interface to the data managed in the system. This interface is preferably a separate interface microservice. The interface microservice requests the personal data item of the user from the user microservice (5) via a code that is one-to-one linked to the user and sends the necessary data to the computer of the user for displaying the current personal data item on the screen of the computer. The user overwrites the personal data item via the website and clicks on Save. The interface microservice sends the modified personal data item to the user microservice (5), which encrypts it and introduces it (30) into the user database (9). The user microservice (5) also adds a change event (40) to the event log (2). The change event comprises the code and the type of personal data. A billing microphone service receives a message concerning the change event from the message broker, the message also comprising the code and the type of personal data and requests the modified personal data item on the basis of the code and the type of personal data from the user microservice (5) and adapts the invoice for the user. EXAMPLE 2 : PARKI NG SPACE RESERVATI ON SYSTEM

A parking space reservation system for use with digital traffic signs as disclosed in BE 1 023 270 is discussed in this example. The parking space reservation system comprises a plurality of microservices:

• a user microservice manages the sensitive personally identifiable information (Pll) of users, such as name, address, email address, telephone number, payment details and the like;

• a request microservice processes reservation requests of users for a parking space;

• a document microservice manages permits associated with approved reservations;

• a template microservice generates documents and email content based on pre-defined templates;

· a payment microservice is responsible for processing payments;

• a cost calculation microservice calculates the cost of a request;

• a message microservice facilitates interactions between users and the local authority responsible for processing reservation requests;

• a traffic sign microservice is responsible for the management of a pool of digital traffic signs as disclosed in BE 1 023270;

• a planning microservice prepares the planning for the dropping off and picking up of digital traffic signs; and

• a city microservice manages each city's configuration settings. A user has the right to erasure according to Article 17 of the GDPR. By linking to the user microservice a state database for managing personal data per user, whereby when a personal data item is changed, the user microservice adds a change event to the event log comprising the code associated with the user and the type of personal data that has changed, no personal data is propagated in the event log, but must be requested from the user microservice.

A person having ordinary skill in the art will appreciate that the preferred embodiments discussed in the detailed description also apply in this example.