Compliance with Regulations in Event Driven Architectures

Posted on the 13th of March, 2025

Futurist image depicting EDA along with GDPR and HIPAA regulations.

Event-Drive Architectures unlocks massive scalability and agility, but at scale, often means that the system will need to handle personal data that are subject to regulations such as GDPR or HIPAA. Ensuring compliance in an asynchronous, distributed architecture requires thoughtful design and processes to be correctly implemented.

In this article, the idea is to extend what we’ve talked about previously in the Ensuring Data Security in an Event Driven Architecture but detailed for compliance such as GDPR and HIPAA.

Let’s dive into some of these details. But before, let’s talk a little bit about GDPR and HIPAA.

Quick Introduction to GDPR and HIPAA

General Data Protection Regulation (GDPR)

GDPR is a comprehensive data protection law in the European Union that governs how organizations collect, store, and process personal data. The primary goals of GDPR are to protect user privacy and give individuals more control over their personal information.

Some of the key principles of GDPR are:

  • Data Minimization: Only collect data that is necessary for a specific purpose.
  • Purpose Limitation: Use data only for the purpose for which it was collected and disclosed to the user.
  • Data Retention: Ensure personal data is not kept longer than needed and respect the “right to be forgotten”.
  • Data Security: Implement technical and organizational measures to secure data.
  • Right of Access and Portability: Users can request access to their data and ask for it to be transferred to another provider.
  • Data Localization: Personal data of EU citizens must not leave the EU unless adequate protections are in place.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a U.S. regulation that protects Protected Health Information (PHI) and applies to healthcare providers, insurers, and any associated service providers. It mandates strong security and privacy controls for storing, processing, and transmitting health data.

Some of the key principles to be aware of:

  • Access Control: Limit access to PHI to only those who need it for their role.
  • Audit Controls: Maintain logs of who accessed PHI, when, and why.
  • Encryption: Encryption of PHI is required both in transit and at rest.
  • Data Integrity: Ensure that PHI is not altered or destroyed improperly.
  • Business Associate Agreements (BAAs): Cloud providers are required to sign BAAs, ensuring they also comply with HIPAA standards.
  • Training and Policies: Ensure that anyone handling PHI is trained on security practices.

Data Minimization and Purpose Limitation

GDPR mandates collecting only strictly necessary data and using it for legitimate purposes disclosed to users. In an event-driven architecture, this translates to avoiding excessive personal data in events. 

I’ve previously written an article where I talk in more detail here, but I just wanted to add that keeping the events lean not only favours compliance but also reduces the regulatory scope and improves performance.

Data Retention and Deletion

Unlike traditional databases, event streams are often immutable logs (e.g., Kafka topics, Azure Event Hubs sequence stores) and retain data for a certain period of time. This poses a challenge to GDPR’s “right to be forgotten”. How do you delete personal data that has been broadcast to many consumers or stored in event logs?

Taking advantage of one feature available in event stores is one approach – setting a finite retention period. This means that the events can be configured so they expire after a certain period of time, so data isn’t kept indefinitely.

Another technique is to encrypt personal data in events with a unique key per user (or per data subject), and if deletion is required, simply destroy the encryption key – crypto-shredding. Without the key, the data in those events becomes irrecoverable and effectively permanently deleted, even though the event record remains. This method was suggested for event-driven GDPR compliance – instead of trying to physically delete events from all logs and backups, make them unreadable by dropping the decryption key. Of course, this requires a solid key management process to ensure keys can indeed be tied to specific users and securely removed on request.

Data Localization and Residency

GDPR (and other laws) require that personal data stays within certain geographic regions. An event gateway at scale (especially in the cloud) might span multiple regions or route events globally.

To comply, organizations use region-specific event hubs or topics for EU data vs. US data. For example, Azure Event Hubs allow for the creation of namespaces in specific Azure regions. You would choose an EU data centre for EU customer events to ensure data resides where it should.

Additionally, Azure ensures that any customer data at rest is encrypted using compliant algorithms and stored according to strict residency rules​.

Audit and Monitoring (Both GDPR & HIPAA)

Regulations expect that you monitor access to sensitive data. HIPAA, for instance, requires audit controls to record who accessed PHI and when​. In an event system, this means tracking which services consumed events containing ePHI or PII.

Implement logging on the event gateway that records subscription deliveries and has an audit trail of data flow(s). Such logs should be protected and retained as evidence of compliance.

Business Associate Agreements (BAAs)

Specifically to HIPAA, it demands encryption, access control, and organizational measures.

If you use a cloud provider to process health data, you must be sure that you sign a Business Associate Agreement (BAA) with the provider​. For example, Microsoft offers a BAA for Azure services, which covers many Azure services, including messaging and eventing services. In fact, Azure Event Hubs is HIPAA and HITRUST certified, meaning it’s been vetted to meet HIPAA security rule requirements when configured properly​.

A healthcare organization can confidently use these compliant services to stream PHI, provided it follows the proper security configurations and best practices.

Additionally, HIPAA requires training and policies to ensure people using the system handle data correctly​.

Right of Access and Data Portability

Under GDPR, users can request their data. In an event-based system, this means you should be able to locate and retrieve all events related to a user. This is more of a data architecture concern, but it intersects with security: you need clear data lineage and possibly a data catalogue for events so you know which events contain personal data and where they flow.

Implementing consistent event schemas and topics (as part of governance) helps respond to such requests efficiently and correctly.

Futuristic image showing three people around a table, looking at Compliance issues.
Futuristic image showing three people around a table, looking at Compliance issues.

In Conclusion

In summary, compliance is a shared responsibility between your architecture and organizational processes. The Event Gateway and underlying cloud platform must provide the tools – encryption, regional isolation, certifications – but it’s up to the architects and developers to use them correctly and to enforce policies (like retention limits or key rotation).

With careful planning, an event-driven system can satisfy stringent regulations: for example, by encrypting PHI in transit and at rest, auditing all accesses, and rapidly removing data when a GDPR deletion request comes in (potentially via crypto-shredding or purge of event stores).

Many organizations have achieved compliance by building on Cloud Providers certified services and following these patterns, proving that real-time event architectures can be both high-speed and high-security.

We at Qala are building an Event Gateway called Q-Flow—a cutting-edge solution designed to meet the challenges of real-time scalability head-on. If you're interested in learning more, check out Q-Flow here or feel free to sign up for free . Let’s take your system to the next level together.

A futuristic scene depicting EDA and Security.

Get started or read other related posts.