Collaborating author: Kenneth Riley
In a previous post, we provided a high-level primer on the upcoming European Union General Data Protection Regulation (GDPR), which will come into full effect on May 25, 2018. As we move closer to the compliance date, we wanted to highlight a few of the more difficult and/or compelling requirements of the regulation, starting with Privacy by Design.
Privacy by Design (PbD) is in no way a newly discovered concept, nor was it coined by the European Commission. In the 1990s, Dr. Ann Cavoukian, the former Canadian Information & Privacy Commissioner, formally introduced privacy teams to the foundational principles of PbD including transparency, end-to-end security and respect for user privacy. Thanks in large part to Article 25 of the GDPR though, PbD is making a resurgence in blogs and tech articles – current blog included!
The European Commission not only requires PbD but more specifically requires privacy by default or rather, limiting to the greatest extent possible how much data is collected, retained and stored by an organization. Furthermore, privacy by default requires that information systems be configured with privacy in mind (i.e., default encryption settings) from the beginning, not bolted on later in the system’s lifecycle. Default settings should always keep privacy in mind and when in doubt, configured to be as privacy protective as possible.
To help simplify the process, here are a few tips as you move toward privacy by default:
- Data Minimization - One of the core components of privacy by default is to reduce the amount of data collected from the onset. With each data element captured (name, address, date of birth, etc.), the risk of unprotected data increases. Not only can organizations limit their risk landscape by limiting the data collected, compliance with regulations such as GDPR suddenly becomes much easier.
- A Seat at the Table - It’s hard to imagine a major system implementation where the security team is not consulted to determine the new system’s impact on the broader IT and business environment. Privacy by default, and GDPR specifically, looks to apply the same mentality to privacy considerations. Changes to the IT environment may have an effect on the organization’s ability to protect data and the privacy team should be included in the approval (i.e., software development lifecycle) process. Privacy by default also relies heavily on end-to-end security. Whereas privacy determines what data needs to be protected, it’s up to security to protect the sensitive data.
- Communication and Awareness - Perhaps the biggest hurdle for organizations implementing privacy by design/default is the change in mindset from privacy as an afterthought to privacy on the forefront. No matter how well designed the enhanced processes are or how well implemented new technologies are, uninformed people may not have the knowledge or awareness to implement sound privacy principles, let alone default to privacy.
Be sure to check back here often as we continue our discussion on GDPR. In our next post, we will examine the implications of "One-Stop-Shop."