The General Data Protection Regulation (GDPR) dictates that organizations implement appropriate technical and organizational measures to “ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.” It also mandates that data protection measures be implemented “by design and by default.” It’s apparent that privacy and data protection must be rooted in every part of information technology and IT infrastructure for this to be achieved.
The GDPR is a well-intentioned regulation. Although the process to compliance is seemingly taxing for many organizations, they should look beyond the headache of the regulation to find the opportunities in the obligations of the GDPR — one that is deep-rooted in the requirement for privacy by design and by default.
Before GDPR enforcement
For a long time, software and application security (for example) have suffered. Many are often compiled from open source components (vastly available and not always adequately vetted) rather than from scratch. Development was frequently rushed (at the cost of security mostly) to reach completion.
The result: Final products with weak and defective security (if any at all). These could potentially impact user safety and privacy. Security was not considered upfront or as part of the design process or even monitored afterward, perhaps occasionally applied as an afterthought.
Personal data security suffered, and users were left to endure the majority of the risk and fallout (instead of the organizations behind the build of the products, processes, and services) and mostly unaware of it happening all together as reporting of data breaches was unheard of. The GDPR is changing this.
The GDPR and security and privacy by design do not tolerate this. It’s forcing a change in thought process, design, development, and build of products and services, to ensure privacy and security and this is beneficial for product development, organizations, and users. GDPR has forced this essential change to happen and although an EU regulation — its requirements are such that it’s permeating across the globe.
There’s opportunity in the obligation for all involved.
Guess what … privacy by design has been an encouraged best practice for a long time
Yes, it has! However, it’s only been practiced by some up until the enforcement of the GDPR. It’s taken the enforcement of the GDPR, making it a legal obligation, for the majority to make it happen. It focuses on embedding privacy protection measures throughout the development process of products, processes, and services to ensure personal data processed by these means is protected and the risk to the data subject is reduced.
The GDPR is encouraging focused privacy and security by design through rooted privacy protection measures during the development process of products, processes, and services. It all boils down to data protection by design. Using methods to keep data protected, confidential, control the access to it and maintain its integrity and ensure user privacy.
Principles fundamental to privacy by design
Built-in proactive and preventative measures
Proactive data protection and privacy measures trump reactive measures. Privacy by design emphasizes the need for this. Organizations need to anticipate the risks to privacy, anticipate the types of incidents and types of attacks, and ensure preventative measures are in place and built into the design from the get-go (DPIAs have a fundamental part to play here). In this regard, a reactive action might mean that a risk assessment has gaps resulting in threat getting overlooked and privacy and security by design aim to ensure that incidents and risks are identified and procedures put in place during the design process. So, more compliant products and services that best provide the privacy of personal data and users are created. Work must be done early on and during the development, not at completion, to achieve this.
Secure by default
All new processes, products, and even features should be secure by default (not insecure by default) as a standard requirement. This means that privacy by default is maintained right from the start. A user should not have to jump through hoops to secure a service or product, but instead, have the visibility and control to make informed decisions about the security they need. So, security and privacy features should be at their strongest by default, and with the proper insight, users can make configurational changes to suit their access requirements. Components, products, and services must be out of the box robustly secure — all of the time!
Security and privacy by design should be entrenched in the organization’s culture, thought process, design process, build process and ultimately business practices as a whole. Nothing should commence without meeting integrated security and privacy by design fundamentals so that all developments are private and secure from the get-go. The build must be dependent on achieving this rather than privacy and security as an add-on.
Usability and security
Yes! You can have the one as well as the other — and simultaneously. It’s often thought that a user-friendly product or service means insufficient security or that security comes at the cost of usability. Ultimately a product or service that is designed and built to be usable is more secure. Creating a product to be usable and secure helps to satisfy all business objectives. Privacy is ensured, and user efficiency is not impacted. It’s necessary to incorporate both early on in the process. Don’t design a secure product that is not usable as users will bypass it, and privacy and security will suffer; also, a usable product with protection as an afterthought is also not sufficient. You can have both usability and security, but the way to achieve it is through security and privacy by design. Incorporate privacy early on in design and development can ensure that the usability of a product or service is not sacrificed because of it. An easy-to-use product or service is often more secure because of it.
Privacy and security for the entire data lifecycle
Data protection needs to be for the data’s entire lifecycle. Data flows. Data has no boundaries. Data changes. Protection measures must be able to follow data and adapt with data so that the data in protected end-to-end, from when it is created, throughout processing and its journey, whenever and wherever it travels or rests. Systems must be designed with this in mind. This notion that data is living and not static must be considered and protected by design from the beginning.
Granular visibility and transparency
Visible security, privacy, and control are essential to assure the user that confidentially, availability, and integrity of data is always ensured and maintained in practice. This needs to be part of the design and build plan so that users have a comprehensive understanding of the technical and organizational measures implemented throughout to protect their personal information. With this level of transparency, users are able to make informed decisions on whether they want to use a product or service or how best to use it to match their risk tolerance levels.
User privacy as the main priority
It’s important to acknowledge that user privacy is essential and ensure this resonates throughout the organization. It should be integral to the business culture. From the top down, the importance of user privacy must be encouraged throughout all business practices. It is essential that everyone respects this. Ensure that you design and build in the necessary controls to enable users to enforce their privacy requirements and the level of protection that they need. It’s also vital that they are able to translate this to their users, customers or clients easily. It must be able to go full-circle. Flexibility ensures that users can provide privacy and security in varied conditions and environments to support their unique and individual requirements better.
An excellent opportunity in the obligation
The GDPR has taken effect. All the preparation, changes, consents, and masses of privacy notices seem to be slowing down (although in the background a lot of work is still being done). It’s time to see and realize the benefits of a well-planned GDPR implementation — prospects beyond compliance, and there are loads. It’s time to look at the results of quality data practice, including improved customer confidence, improved incidence response, the growth of innovative products, and services — all of which are by-products of proper GDPR execution and compliance.
Featured image: Pixabay