Elastic Stack and GDPR (reloaded)


(Val Crettaz) #1

Since the topic is closed, I'm continuing the discussion from General Data Protection Regulation (GDPR) because I believe it can be of general interest (especially given the timing):

First of all thank you @sihil for bringing up this topic. Of course, no one asked for GDPR in the first place, neither the Elastic company nor the Elastic Stack users. At first glance, it might seem like a good (uhmm great) (uhmm huge) business opportunity for Elastic and I'm happy for them if that's the case. I've been a huge fan of Elastic since the early beginning and I'm happy for them if they make more money, because that will most certainly translate to a wealth of cool features down the road.

Like @warkolm pointed out and as the whitepaper depicted pretty well, GDPR mainly boils down to a process issue. But a process is worthless when not implemented correctly, which is usually where technology (among many other concerns) comes into play. Elastic makes no exception here, so we can dodge the debate as much as we want, ultimately people need to face the fact and use some technology to properly implement GDPR. In our case, we're talking about the Elastic technology.

As such, Elastic (the company) has a big role to play. Simply saying "subscribe to XPack Platinum or migrate to Elastic Cloud" is not what I think would be a wise message to convey. There are two categories of Elastic users: those who use the open-source product and those who subscribed to XPack (let's ignore for a moment Gold vs Platinum). On May 25th, the latter won't be too much impacted, but among the former who are impacted by GDPR, a big majority will have to choose between going away from Elastic and picking another solution or shell out more money to subscribe to XPack Gold/Platinum. I don't think that it is wise to force OS users to make that difficult choice, especially since GDPR brings no immediate business value. It feels like something Apple, Google or Microsoft would do because they care more about how their business looks on spreadsheets than pampering their (commercial or free) user base, but I'm digressing here.

If I was in the strategic spheres somewhere at Elastic, I'd turn the tide and suggest to extract the minimally necessary security features to be GDPR compliant from the XPack Platinum subscription and move that to XPack Basic. That move would show two things to the world:

  1. While Elastic needs to make money, they don't make it at any price, and certainly not at the price of losing existing customers, upsetting them or turning down new potential ones that were in the process of evaluating the Elastic Stack
  2. Incentivize OS users to subscribe to XPack Basic is a first step at upselling them a Gold/Platinum subscription. Many OS users would never subscribe to Basic, but if it's at no cost and that makes them GDPR-compliant for "free", then they would kill two birds with one stone... all while Elastic can continue to shine as a hero company.

So, all this GDPR frenzy can be both a boon or a bane for Elastic (and many other technology providers for that matter). The fact that OS users will need to start paying for being GDPR-compliant might bring in more money on one hand but also put off many other (existing and potential) users on the other hand.

Ultimately all what matters boils down to the perception people have. Let's not forget that Elastic is not just a technology, it's an ecosystem with many actors, such as, but not restricted to, the Elastic company itself, technology/referral/OEM partners, integrators, consultants, OS users, subscribed users, etc... Elastic needs to consider all these actors while deciding how to handle the GDPR transition, because the decision they will make will heavily contribute to the perception people will have towards Elastic as a company and their products. Every one of the above mentioned actors can benefit from a sane transition to GDPR and ultimately that benefits to the whole ecosystem.

If anyone is interested, I’d be happy to discuss these matters next week at Elastic{ON} :wink:


(Val Crettaz) #2

"Ask and you shall receive"....

As announced yesterday during the Elastic{ON} keynote, XPack is going to be fully open-sourced, so that definitely offers one other alternative to people/companies who must comply to GDPR and don't want/need to subscribe to XPack just for the sake of being GDPR compliant. I admit I didn't see that one coming, but it has the merit of also being fully in line with what I highlighted in my above post.

This move has most certainly been planned for quite some time, so let's just thank Elastic for being such a visionary company.


(Ry Biesemeyer) #3

I believe that there is some confusion here; x-pack will be open code, providing better visibility and transparency, along with a better experience tracking issues and feature development, but it will not be "Open Source" (as in: free). There will still be gold and platinum features, which users will have a legal requirement to pay for in order to use beyond their trial periods; as Shay called out in his keynote announcement, these paid features are what allow us to employ so many to work on both our OSS and our commercial IP.


(Nanda Koothrappahli) #4

For dedicated GDPR support for Elasticsearch you also may want to have a look here:


We're testing this currently and it's looks promising, especially the field read history is important to us cause we need to now who has accessed the content of a field when.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.