In discussing GDPR there has been a lot of focus on fines, data subject consent, training employees, and the various legal bases for data transfers. This has meant some other areas are in danger of being overlooked. One of the articles that need to be highlighted is Article 25: Data protection by design and default.
The first two parts of the article are below:
Article 25 is saying that all new systems, applications, and processes for collecting and processing information must be designed from the ground up to incorporate best practices for data minimization, and include technology and procedures to safeguard the data as it is processed.
Privacy by Design was first promoted by the Privacy Commissioner in Ontario in the 1990’s, the idea being that privacy should be more than just compliance to regulations, it should be the default mode of operation from initial design, through implementation. They had published a paper that defined the 7 Foundation Principles, available to download at www.privacybydesign.ca
If the regulator investigates a company for possible breach of the GDPR, it will ask for documentation on the policies, procedures, and the technology deployed to ensure GDPR is being met. Just think whether you can answer the question “for this new process, show me the ways you ensured privacy by design and privacy by default.”
The seven principles are:
- Proactive not reactive; preventative not remedial
- Privacy as the default
- Privacy embedded into design
- Full functionality – positive-sum, not zero-sum
- End-to-end security – Lifecycle protection
- Visibility and Transparency
- Respect for User Privacy
To understand the above seven principles, I’ll use some examples in the cloud computing area and options available to IT management.
Cloud-based sales & marketing CRM systems
For data minimization, users should have access to as small an amount of data at one time as possible. Restrict access as tightly as you can – if someone is only working on customers in a particular region, ensure that the rights are set so that they cannot access other data. Consider who should have access to broad reporting. Ensure that all access is via individual login names and all traffic is logged for forensics purposes. Restrict as much data as possible from an individual’s view who do not need to see it, using technologies such as encryption. Ask yourself whether users producing broad reports of results of campaigns should have access to the underlying data or just the overall figures?
Users administering online surveys
Design the surveys in such a way so that the people reviewing the results cannot see individual user credentials. Consider encrypting parts of the content before feeding it to the admin. Feed personal information to a different team or split the data so that general results and personal content are kept separate.
Online storage and collaboration tools
Use DLP tools to safeguard the users from breaking GDPR, by searching for personal identifiers and informing the user (and/or admin) of possible breaches.
In-house developed apps using cloud-based IaaS services
Ensure that privacy is built into the apps from the start. Integrate with existing systems in areas such as authentication and encryption so that the software engineer can develop their app without having to slow down to add the privacy controls.
Privileged users that manage account capabilities
Keep privileged user accounts away from data manipulation, and report any instance where a privileged user attempts to stray from their usual behavior.
All cloud services
Look to deploy the types of technologies that have been in use in on-premises systems for decades – multi-factor authentication, integration with corporate Single-Sign On services, encryption, data loss prevention, anomaly detection, geo-location policies, differentiated policies based on trusted and untrusted apps, and services such as centrally-deployed global encryption.
For a more detailed white paper about Privacy by Design, our technology partner Ionic has produced a great white paper, available here: https://www.ionic.com/resources/privacy-by-design-gdpr-white-paper/