The Home of the Security Bloggers Network
Home » Cybersecurity » Governance, Risk & Compliance »
That’s a big topic, and it can be challenging to understand all the ins and outs. But we’ll go over what privacy means for your company in general and any technology or GDPR context you might need!
Privacy has many dimensions: economic (the right incentives), social(inclusive measures), political values like free speech, etcetera… So let me start by explaining how each affects the data protection Act differently.
GDPR privacy by design is an Article 25 obligation to ensure privacy and data protection in the processing activities of personal data. The law mandates companies to address privacy and data protection issues in the design phase of any project, product, service or system. Data protection by design is ultimately an approach that ensures you ‘bake in’ data protection into your processing activities and business practices. In short, GDPR’s Privacy by design can be achieved by:
GDPR privacy by default is another obligation of Article 25, which requires companies to restrict their data processing activities only if necessary for a specific goal. In particular, Data protection by default requires business entities to collect data for a legitimate interest, specifying that data before its processing starts, timely inform data subjects before collecting this data, and the only process the data needed for the specific purpose. This principle also highlights the involvement of data minimisation and purpose limitation, which are the vital requirements of GDPR. In brief, privacy by default can be achieved by:
The difference between privacy by design and privacy by default is that privacy by design is the requirement to address privacy in the early designing phase of any product, service, or project. Often this will be at the same time that a data protection impact assessment (DPIA) is handled by the business entities, enabling it to identify and assess the data privacy risks and challenges associated with the product, service or project and how these can be best mitigated.
Privacy by default requires that user settings should have the most privacy-friendly setting as the default setting. Under the GDPR, companies are obligated to implement appropriate organisational and technical measures by default, for example, data minimisation, i.e. only personal data which is necessary for each specific purpose of the processing is processed. For addressing privacy by default, there is a greater importance on employing data minimisation techniques such as pseudonymisation so that only the minimum amount of data required is collected and processed.
The concept of privacy by design contains seven underlying principles that explain how to achieve data privacy compliance in the early stages of any projects, systems or services. These seven principles are as follows:
The first principle, i.e. Proactive, not Reactive/Preventative, not Remedial, states that data privacy needs to come up at the initial stage of the planning process. If an organisation’s robust security measures consist of putting out fire extinguishers and dealing with data breaches, then the organisation is being reactive. This principle sets up the foundation of the rest of the principles by developing a culture of ‘privacy awareness’ across the board.
The second principle is privacy as default, meaning privacy must be at the forefront of what an organisation does with any data processing. It requires restricting mass data sharing, using data minimisation, deleting data that is no longer in use, and involving personal data processing on a legal basis. It also means using opt-in and opt-out rights for data subjects and data security safeguards for privacy considerations.
The third principle is the idea about privacy needs and concerns during the designing phase of any project, product, system or service. In other words, data privacy is a core functionality of the product. Organisations should deploy encryption at rest and in transit, authentication and authorisations, testing vulnerabilities and conduct penetration tests regularly. It doesn’t matter if a product satisfies clients’ requirements, as there will be a greater risk if it bears a design flaw that leads to severe security vulnerability.
Principle four seeks to accommodate all legitimate interests and objectives in a “win-win” manner, requiring a balance between growth and security. It states that if a business entity reduces privacy functionality, that business is doing it wrong. Adopting appropriate technical and organisational measures to achieve the ideal state of security and confidentiality required by its business infrastructure should be needed. The involvement of data privacy should not overshadow the functionality of the business.
The fifth principle talks about the End-to-End security principle. There is a long debate that data protection follows data throughout its whole lifecycle, i.e. from collection to deletion or removal. Encryption and authentication are the standards at every stage of data processing, but data protection also needs to go beyond other stages. Let us take an example as an organisation that should only collect data they need for a specific purpose and have a legal basis for processing. And when the organisation has achieved that particular purpose and is finished with the data, that organisation should use GDPR-compliant deletion methods for end-to-end data protection. So before collecting any data, there should be decided the retention period and data deletion mechanism of that data.
Principle six of the Privacy by design addresses visibility and transparency. Data subjects should know about the privacy and processing practices of the organisation, and it should be shared in the open either in its website privacy policy or at the time of collecting data from data subjects. This principle supports the need for a well-written Privacy Policy, which is essential for every business to fall under the jurisdiction of the GDPR or other laws like CCPA, PIPEDA or Swiss data protection laws. It also argues that there needs to be a mechanism for data subjects to share their concerns over personal data, ask questions, and practice their rights given by the respective law.
Finally, principle seven concludes the concept of privacy by design, that everything needs to be done by putting the data subject or customer at the heart of any development process. It means acknowledging that even if a company collects data from their clients or customers, it belongs to them from whom a company have collected.
All data subjects can make requests to access and withdraw their consent for the use of their data. Suppose their data is to be re-used for any different purpose other than that for which it was initially collected. In that case, the company needs to inform its customers again of the new purpose of data processing.
The concept of privacy by design can be explained by its name as, after all, who on this planet would want to have their data monitored or get compromised. Well, no one wants that to happen, and for that business, entities need to work pro-actively about designing frameworks or implementing data privacy policies and procedures from scratch.
Privacy by design framework ensures that data protection and security are embedded throughout the entire life cycle of systems and services, from the early design stage through deployment, use and ultimate disposal or disposition.
Data privacy is a major concern these days as of the growing development of regulations and laws in different jurisdictions, namely the US, Europe and Asia. The business that lies in these jurisdictions needs to comply whether they reside in that specific jurisdiction or not. The scope of these laws is much more enormous, and any business deals with the data of their consumers, customers or data subjects need to address data protection and privacy mechanisms at some level.
If data privacy is not addressed at the initial stage of any data processing, there is a chance that companies would require a lot of technical resources and human effort to assess and mitigate privacy risks for the developed projects. Moreover, many businesses would fall under the penalty of significant laws like GDPR if they processed their data and did not put privacy risks on the frontline.
The idea is to build privacy and data protection principles directly into technology, systems and practices at the design phase and default settings, thereby ensuring privacy and appropriate controls from the origin.
To answer this question, an organisation may need to answer the following questions first:
As for the first question, if the answer is yes, then definitely the principle of privacy by design and by default should be addressed in all policies and procedures of that business as it comes under the direct obligations of GDPR and needs to be fully compliant.
If the answer to the first question is negative and the business comes under the second category, then the company may need to comply with the contractual obligations of data privacy. These obligations relate to the data protection and privacy which concerns privacy by design and default at some level. Still, again that is all dependent upon the contractual requirement from the clients.
Even if your assessment reveals your business does not have to comply with the GDPR, Privacy by design is still a good start for achieving data privacy as a good industry practice. Implementing privacy by design exhibits an understanding of the value of personal data both to the business and to the customers. It acknowledges that privacy and individual control over data is a major rights.
As per industrial standards like NIST Privacy Framework or ISO 27701, the following points should be considered a good starting point to implement privacy by design and default:
To make a significant change to the company’s culture in terms of data protection and privacy, organisations need executive-level support. This is truly non-negotiable as top management communication is more crucial if a company is building its privacy program from scratch. Having said that, without the support of top management, the implementation of privacy by design and default is impossible and vague.
The smart strategy to address data protection and safeguard personal data processing is using the existing controls and resources to run the process smoothly. During this process, a company should gradually opt for privacy-enhancing technologies to implement data protection mechanisms within budget.
Track down all the products and services that involve personal processing data. Identify the scope of GDPR data processing activities and, based upon the severity of processing, deploy technical controls, i.e. encryption, data minimisation, pseudonymisation and organisational controls, i.e. data retention policy, software development lifecycle policy or procedures.
To run privacy by design and by default mechanisms effectively, it is important to establish an appropriate framework against which companies will assess their data privacy posture. That right framework really depends on the specifics of business needs and organisational structure. Companies may go for deploying NIST frameworks or ISO based on their needs and budget. Also, if the budget allocation or resources are not enough in the area of data privacy, an organisation may develop their data privacy framework and address privacy by design and default principles in their practices.
Employee training is a key to reinforcing privacy by design and default principles and educating staff on their data protection obligations. Highlighting data privacy awareness during onboarding of new hires and annual training is helpful to keep privacy top of mind for employees and to know the company is considering it seriously.
An organisation that deploys data protection by design will:
Privacy by default examples could be:
The GDPR aims to give data subjects more power over their personal data and manage their privacy risks with its principles. One of the principles is privacy by design and by default, i.e. the formalisation of the Article 25 GDPR’s requirement.
Implementing the most privacy-friendly option as a default setting will give data subjects a solid choice over which parts of their data can be used. Similarly, the incorporation of privacy by design during the development phase of services, products or projects is the only way to cater for the data privacy risks successfully.
To begin with the journey of assuming data privacy in business, security measures and privacy controls should be embedded into every new product, feature and process that collects and use the personal and sensitive information of data subjects. For small to medium businesses, these procedures provide an opportunity to maximise business reputation and gain data subjects’ trust.
The post What is GDPR Privacy by Design and Default? appeared first on Cyphere | Securing Your Cyber Sphere.
*** This is a Security Bloggers Network syndicated blog from Cyphere | Securing Your Cyber Sphere authored by Editor. Read the original post at: https://thecyphere.com/blog/privacy-by-design-and-default/
More Webinars