In discussing GDPR there has been a lot of focus on fines, data subject consent, training employees, and the various legal bases for data transfers. This has meant some other areas are in danger of being overlooked. One of the articles that need to be highlighted is Article 25: Data protection by design and default.

The first two parts of the article are below:

The European Union GDPR: An Action Guide for IT

This ebook explores the 10 major aspects of the law, provides a GDPR action guide, and a path to implementing your plan.

Download Now

Article 25 is saying that all new systems, applications, and processes for collecting and processing information must be designed from the ground up to incorporate best practices for data minimization, and include technology and procedures to safeguard the data as it is processed.

Privacy by Design was first promoted by the Privacy Commissioner in Ontario in the 1990’s, the idea being that privacy should be more than just compliance to regulations, it should be the default mode of operation from initial design, through implementation. They had published a paper that defined the 7 Foundation Principles, available to download at www.privacybydesign.ca

If the regulator investigates a company for possible breach of the GDPR, it will ask for documentation on the policies, procedures, and the technology deployed to ensure GDPR is being met. Just think whether you can answer the question “for this new process, show me the ways you ensured privacy by design and privacy by default.”

The seven principles are:

  • Proactive not reactive; preventative not remedial
  • Privacy as the default
  • Privacy embedded into design
  • Full functionality – positive-sum, not zero-sum
  • End-to-end security – Lifecycle protection
  • Visibility and Transparency
  • Respect for User Privacy

To understand the above seven principles, I’ll use some examples in the cloud computing area and options available to IT management.

Cloud-based sales & marketing CRM systems

For data minimization, users should have access to as small an amount of data at one time as possible. Restrict access as tightly as you can – if someone is only working on customers in a particular region, ensure that the rights are set so that they cannot access other data. Consider who should have access to broad reporting. Ensure that all access is via individual login names and all traffic is logged for forensics purposes. Restrict as much data as possible from an individual’s view who do not need to see it, using technologies such as encryption. Ask yourself whether users producing broad reports of results of campaigns should have access to the underlying data or just the overall figures?

Users administering online surveys

Design the surveys in such a way so that the people reviewing the results cannot see individual user credentials. Consider encrypting parts of the content before feeding it to the admin. Feed personal information to a different team or split the data so that general results and personal content are kept separate.

Online storage and collaboration tools

Use DLP tools to safeguard the users from breaking GDPR, by searching for personal identifiers and informing the user (and/or admin) of possible breaches.

In-house developed apps using cloud-based IaaS services

Ensure that privacy is built into the apps from the start. Integrate with existing systems in areas such as authentication and encryption so that the software engineer can develop their app without having to slow down to add the privacy controls.

Privileged users that manage account capabilities

Keep privileged user accounts away from data manipulation, and report any instance where a privileged user attempts to stray from their usual behavior.

All cloud services

Look to deploy the types of technologies that have been in use in on-premises systems for decades – multi-factor authentication, integration with corporate Single-Sign On services, encryption, data loss prevention, anomaly detection, geo-location policies, differentiated policies based on trusted and untrusted apps, and services such as centrally-deployed global encryption.

For a more detailed white paper about Privacy by Design, our technology partner Ionic has produced a great white paper, available here: https://www.ionic.com/resources/privacy-by-design-gdpr-white-paper/