Narrata LogoNarrata

Analytics

Data Security & Compliance: What Every Business Needs to Know

Protect your data and stay compliant with GDPR, SOC 2, and other regulations without slowing down your team.

8 min read
Data security and privacy concept

Data breaches make headlines. Compliance fines destroy budgets. But security doesn't have to slow you down.

Let's build a secure analytics system that actually works.

Why This Matters

The Statistics

  • Average data breach cost: $4.45 million
  • GDPR fines: Up to €20 million or 4% of revenue
  • Customer trust: Priceless

One breach can kill a company.

Common Mistakes

"We're too small to be a target" Wrong. Small companies are easier targets.

"We don't store sensitive data" Customer emails? Payment history? That's sensitive.

"Security slows us down" Bad security slows you down. Good security enables speed.

The Security Layers

Layer 1: Data Encryption

At Rest (Stored Data)

// All data encrypted in database
{
  "customer_name": "encrypted_6h3j7k2...",
  "email": "encrypted_9k2m5n1...",
  "phone": "encrypted_3p9q2r8..."
}

In Transit (Moving Data)

Client → HTTPS → Server
       TLS 1.3
       256-bit encryption

Never send data unencrypted.

Layer 2: Access Control

Role-Based Access (RBAC)

| Role | Can View | Can Edit | Can Delete | Can Export | |------|----------|----------|------------|------------| | Analyst | Own team data | Own reports | Nothing | Nothing | | Manager | Department data | Department reports | Own reports | Team data | | Admin | All data | All reports | All reports | All data | | Executive | Dashboards only | Nothing | Nothing | Nothing |

Row-Level Security

-- Users only see their own data
CREATE POLICY user_isolation ON customer_data
FOR SELECT
USING (user_id = current_user_id());

-- Managers see their team's data
CREATE POLICY manager_access ON customer_data
FOR SELECT
USING (
  team_id IN (
    SELECT team_id FROM teams
    WHERE manager_id = current_user_id()
  )
);

Layer 3: Audit Logging

Track everything:

{
  "timestamp": "2025-01-19T14:32:11Z",
  "user": "sarah@company.com",
  "action": "EXPORT_DATA",
  "resource": "customer_emails",
  "ip_address": "192.168.1.100",
  "success": true,
  "rows_exported": 1247
}

Know who accessed what, when, and why.

Layer 4: Data Masking

Hide sensitive data from unauthorized users:

-- Production data
SELECT
  customer_id,
  email,
  phone,
  credit_card
FROM customers;

-- Masked for analysts
SELECT
  customer_id,
  CONCAT(LEFT(email, 3), '***@', DOMAIN(email)) as email,
  'XXX-XXX-' || RIGHT(phone, 4) as phone,
  'XXXX-XXXX-XXXX-' || RIGHT(credit_card, 4) as credit_card
FROM customers;

Result:

customer_id | email           | phone        | credit_card
1001        | sar***@gmail.com| XXX-XXX-5678 | XXXX-XXXX-XXXX-4242

Compliance Frameworks

GDPR (European Data)

Key Requirements:

  • ✅ User consent for data collection
  • ✅ Right to access (users can see their data)
  • ✅ Right to deletion (users can delete their data)
  • ✅ Data portability (users can export their data)
  • ✅ Breach notification (within 72 hours)

Implementation:

// User data export
async function exportUserData(userId) {
  const data = await db.query(`
    SELECT * FROM users WHERE id = $1
    UNION ALL
    SELECT * FROM orders WHERE user_id = $1
    UNION ALL
    SELECT * FROM analytics WHERE user_id = $1
  `, [userId]);

  return formatAsJSON(data);
}

// User data deletion
async function deleteUserData(userId) {
  await db.transaction(async (tx) => {
    await tx.query('DELETE FROM analytics WHERE user_id = $1', [userId]);
    await tx.query('DELETE FROM orders WHERE user_id = $1', [userId]);
    await tx.query('DELETE FROM users WHERE id = $1', [userId]);
    await auditLog('USER_DELETED', userId);
  });
}

SOC 2 (Service Providers)

Five Trust Principles:

  1. Security - Protect against unauthorized access
  2. Availability - System is available as agreed
  3. Processing Integrity - Processing is complete and accurate
  4. Confidentiality - Confidential data stays confidential
  5. Privacy - Personal information is collected/used/disclosed properly

Evidence You'll Need:

  • Access logs
  • Change management records
  • Incident response procedures
  • Security training completion
  • Vendor risk assessments

HIPAA (Healthcare Data)

PHI Protection Requirements:

  • Encryption at rest and in transit
  • Access controls and audit logs
  • Business Associate Agreements (BAAs)
  • Incident response plan
  • Regular risk assessments
// HIPAA-compliant logging (no PHI in logs)
// ❌ BAD
console.log(`User ${patientName} accessed record`);

// ✅ GOOD
console.log(`User ${hashedPatientId} accessed record`);

Data Anonymization Techniques

Pseudonymization

Replace identifiers with fake values:

SELECT
  MD5(email) as user_hash,  -- One-way hash
  age_bucket,                -- "25-30" instead of 27
  city,                      -- Keep for analysis
  purchase_amount
FROM customers;

Can still analyze patterns, but can't identify individuals.

Data Minimization

Don't collect what you don't need:

// ❌ Collecting unnecessary data
const user = {
  name: "Sarah Johnson",
  email: "sarah@email.com",
  ssn: "123-45-6789",        // Why do you need this?
  credit_card: "4242...",     // Store with payment processor!
  mother_maiden_name: "..."   // Security question is not analytics
};

// ✅ Minimal necessary data
const user = {
  user_id: "u_12345",
  signup_date: "2025-01-19",
  subscription_tier: "pro"
};

Retention Policies

Delete old data automatically:

-- Delete analytics data older than 2 years
DELETE FROM page_views
WHERE timestamp < CURRENT_DATE - INTERVAL '2 years';

-- Archive instead of delete
INSERT INTO archived_orders
SELECT * FROM orders
WHERE created_at < CURRENT_DATE - INTERVAL '7 years';

DELETE FROM orders
WHERE created_at < CURRENT_DATE - INTERVAL '7 years';

Secure Development Practices

Input Validation

Never trust user input:

// ❌ SQL Injection vulnerability
const query = `SELECT * FROM users WHERE email = '${userInput}'`;

// ✅ Parameterized queries
const query = 'SELECT * FROM users WHERE email = $1';
const result = await db.query(query, [userInput]);

Secrets Management

// ❌ BAD: Hardcoded credentials
const dbPassword = "super_secret_123";

// ❌ BAD: In source code
const apiKey = process.env.API_KEY; // If .env is committed

// ✅ GOOD: Secrets manager
const dbPassword = await secretsManager.getSecret('db-password');

Never commit secrets to git.

Dependency Security

# Check for vulnerabilities
npm audit

# Auto-fix when possible
npm audit fix

# Update dependencies regularly
npm update

One vulnerable package can compromise everything.

Incident Response Plan

When (not if) something goes wrong:

1. Detect (Minutes)

// Automated alerting
if (failedLoginAttempts > 10) {
  alert.send('Possible brute force attack');
}

if (dataExportSize > 100000) {
  alert.send('Unusually large data export');
}

2. Contain (Hours)

1. Isolate affected systems
2. Revoke compromised credentials
3. Block malicious IPs
4. Preserve logs for investigation

3. Investigate (Days)

1. What was accessed?
2. When did it happen?
3. How did they get in?
4. What was the impact?

4. Recover (Days-Weeks)

1. Patch vulnerabilities
2. Restore from clean backups
3. Reset all credentials
4. Verify system integrity

5. Learn (Ongoing)

1. Document what happened
2. Update security procedures
3. Train team on lessons learned
4. Implement preventive measures

Security Best Practices

For Teams

Regular Training:

  • Phishing awareness
  • Password management
  • Data handling procedures
  • Incident reporting

Access Reviews:

Quarterly: Review who has access to what
Monthly: Check for inactive accounts
Weekly: Monitor suspicious activity
Daily: Review audit logs (automated)

For Systems

Principle of Least Privilege

Give minimum access needed:

Need to analyze sales data?
  → Read-only access to sales table
  ✗ Admin access to entire database

Defense in Depth

Multiple security layers:

Layer 1: Firewall
Layer 2: VPN
Layer 3: Authentication
Layer 4: Authorization
Layer 5: Encryption
Layer 6: Audit logging

If one fails, others protect you.

Compliance Checklist

Use this monthly checklist:

  • [ ] All data encrypted at rest
  • [ ] All data encrypted in transit
  • [ ] Access controls properly configured
  • [ ] Audit logs being collected
  • [ ] Inactive accounts disabled
  • [ ] Dependencies updated
  • [ ] Security training completed
  • [ ] Backup restoration tested
  • [ ] Incident response plan reviewed
  • [ ] Third-party vendors assessed

Tools & Solutions

Open Source

  • Authentication: Keycloak, Auth0
  • Secrets: HashiCorp Vault
  • Monitoring: ELK Stack, Grafana
  • Scanning: OWASP ZAP, SonarQube

Commercial

  • SIEM: Splunk, Datadog
  • DLP: Varonis, Digital Guardian
  • Compliance: Vanta, Drata
  • Encryption: AWS KMS, Azure Key Vault

Cost vs Risk

Security is an investment:

Prevention Cost: $10,000/year
  (Security tools, training, audits)

Breach Cost: $4,450,000 average
  (Fines, lawsuits, lost business, remediation)

ROI: If you prevent just one breach in 445 years,
     you break even. Most companies face multiple
     attempts per year.

Worth it.

Conclusion

Security and compliance aren't obstacles to innovation - they're enablers.

Customers trust you with their data. Regulators expect you to protect it. Your business depends on both.

Start with the basics:

  1. Encrypt everything
  2. Control access
  3. Log everything
  4. Test regularly

Then build from there.

The best time to implement security was before you started. The second-best time is now.

Lisa Chen
Lisa ChenSecurity & Compliance Lead
AnalyticsTipsProductivity

Related articles

Continue reading with these related posts.

Start your free trial

Join over 4,000+ teams already creating better reports with Narrata.

Get started