The Privacy by Design framework (PbD) was first introduced by Dr Ann Cavoukian, Information and Privacy Commissioner of Ontario, in the 1990s. PbD “… advances the view that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation.”
The seven foundational principles of the framework are:
- Proactive, Not Reactive; Preventative, Not Remedial: Anticipate and prevent privacy breaches before they occur
- Privacy as the Default Setting: Consent for sharing a user’s data should not be assumed
- Privacy Embedded into Design: Not to be coded as a plug-in
- Full Functionality — Positive-Sum, Not Zero-Sum: Security and privacy should be considered two sides of the same coin, and users must experience full application functionality
- End-to-End Security — Full Lifecycle Protection: Full protection from collection to deletion
- Visibility and Transparency — Keep it Open: Ensure security practices can stand up to public scrutiny
- Respect for User Privacy — Keep it User-Centric: For instance by offering strong privacy defaults, appropriate notice and empowering, user-friendly options
The General Data Protection Regulation (GDPR) requires applications are built, and personal data is stored, within a PbD framework – i.e. privacy by default – framework with a view to protecting user data. While a European Union (EU) regulation, it is extraterritorial and has implications for anyone that does business with Europe.
In this article, we will look at how businesses can use the PbD framework to ensure their systems comply with the GDPR.
What is the GDPR All About?
GDPR is a regulation in European Union (EU) law on data protection and privacy for all individuals within the EU and the European Economic Area (EEA). The principles (some controversial) behind GDPR have evolved since January 2012 when the European Commission (EC) proposed plans for data protection reform in order to create digital standards across Europe. It attempts to regular behaviors, laws, and obligations around privacy and consent, internet usage, and data management.
Here are some concepts you need to know:
Organizations who gather personal data will have to comply with legal conditions to protect data and will face penalties if they do not.
Controllers and Processors
The ICO defines a controller as an entity that determines the purposes and means of processing personal data, while a processor is responsible for processing personal data on behalf of a controller. For example, if TShirtsAreUs sells t-shirts online and uses Apparel Marketing to monitor their sales campaigns, TShirtsAreUs is the controller and Apparel Marketing is the processor.
Information Covered by GDPR
What is covered is “personal data” and “sensitive personal data?” The latter constitutes “special categories of personal data,” for instance, data about criminal offences and convictions, IP addresses, genetic data, genetic origin, sexual orientation, political beliefs, religious beliefs and biometric data.
The ICO notes that the GDPR does not apply to certain activities, including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
Life Cycle Protection
Implementing PbD means covering personal data protection not only from the design stage through the SDLC, but throughout the use by the user of software, and even after the software has been withdrawn from use.
The GDPR principles at a glance
- Identify what user data is necessary to provide full functionality – i.e. limit it to what is necessary and relevant in relation to the purpose for which it is processed. Also, avoid requesting from the user any intrusive access to their machines that is unnecessary, e.g. access to their camera
- Limit how data can be used – i.e. do not further process in a manner that is incompatible with the original purpose data was collected, and ensure explicit consent is obtained if data is further processed
- Protect data – e.g. against unauthorized or unlawful processing, and against accidental loss, destruction or damage
- Limit sharing of data – e.g. obtain explicit consent to share data with partners and do not share on social media by default
- Ensure accessibility of user controls – e.g. revisit contact forms, sign-up pages and customer-service entry points. Enable privacy as a default; users should not have to configure anything to ensure their data is safe
- Provide transparent notice to individuals – e.g. provide clear privacy- and data-sharing notification, enable granular opt-in and notify users of security breaches without undue delay to data subjects. Users frequently complain about not understanding system messages. This includes a tendency with online applications to display obscure error messages and highlight input fields without explanation as to what is required of users. But it goes further than that. The GDPR requires that if personal data is stored, processors must explicitly let the user know for how long, and why and how their data is used. This boils down to drawing up clear policy documentation
- Keep data up to date – I.e. ensure accuracy of data when further processing
Practical Steps for Business Stakeholders to Implement the PbD Framework
Individuals have a right to privacy by default. Here’s how you can ensure your systems comply.
Identify Privacy Data
To get started, you should first create a privacy assessment of your software and data. A detailed Privacy Impact Assessment (PIA) process can help you identify the flow of personal information in your system and analyze how it is used. For managers and business analysts, this provides a WHAT, WHEN, WHERE, WHY, WHO overview and assists in planning and costing changes. With more detailed analysis, a PIA functions as a checklist for developers when investigating the code that manipulates personal data.
The New Zealand Privacy Commissioner provides a comprehensive handbook you can use to assess your system and the data it collects and generates. For instance, “How might individuals be affected by the risks identified?” and “Are there special sensitivities about the uses?” Answering these questions will help you to map where, when, and how data is controlled. You can treat sensitive personal information differently to other data, and measure data vulnerability.
If you are looking for a more interactive, user-friendly tool to do an impact assessment, try this open source PIA tool from Commission Nationale de l’Informatique et des Libertés (CNIL).
In addition, the GDPR makes the carrying out of a Data Protection Impact Assessment (DPIA) mandatory where processing personal data is “likely to result in a high risk to the rights and freedoms of natural persons.”
Devise a Consent Management Process
Controllers also need to seek active consent to collect personal data and must inform users if their information will be used by third parties. Struggling with GDPR requirements for consent management, Segment created their own open source Consent Manager tool. The software is built off the company’s analytics.js library, so you need to be using Segment to deploy it.
According to IT Pro Portal, an enterprise-grade NoSQL database platform is the best option on which to build a Consent Management Hub, because it can handle the data diversity problem.
Implement Data Anonymization
Anonymize data where you can and use best practices to secure data by encryption, including deleted data. Enable the regular deletion of data that is no longer required. Make sure that personal data is not used anywhere except in the production environment. As explained by GDPR Report, pseudonymous data still allows for some form of re-identification, while anonymous data cannot be re-identified.
Anonymization techniques to consider using include directory replacement, scrambling, masking, personalized anonymization and blurring.
Enforce Users’ Right to be Forgotten
When users unsubscribe from a service, all data must be removed from the back end; GDPR considers users to have a right to be forgotten.
Document a Data Retention Policy (DRP)
For example, here is Google’s DRP.
Establish Third-Party Integration Policies
Ensure third parties you outsource to and your partners are GDPR-compliant. In the Google versus Costeja case in 2014, the Court of Justice of the European Union (CJEU) ruled that an Internet search engine operator is responsible for the processing that it carries out of personal information which appears on web pages published by third parties.
Revisit Your Code Repositories and Deployment Practices
Learn about the Twelve-Factor App, a methodology that enables developers to build secure Software-as-a-Service (SaaS) apps using best practices. Two-factor authentication should be used in SaaS environments. Three-factor authentication incorporates a biometric component for verification.
Enable Strict Access and Credential Control
Developers should use password managers and key vaults. You also need to institute strict Bring Your Own Device (BYOD) policies and procedures.
Secure Your Perimeters
Data Leak Prevention (DLP) software can help you to secure your network infrastructure and protect endpoints. It does not have to cost you an arm and a leg. For instance, OpenDLP is a free and open source, agent-based, centrally managed, massively distributable DLP tool released under the GPL.
The GDPR requires that the minimum amount of data is used to complete a task, which suggests an underlying premise of avoiding creating personal data in the first place
An article by i-Scoop (see Sources) explains why, while encrypting personal data is not mandatory for the GDPR, it is a best practice to consider. In terms of privacy regulations, the GDPR does not “stand on its own.” Other regulations, like the forthcoming EU ePrivacy Regulation, are in the pipeline and will have further privacy stipulations and consequences.
You also need to analyze all data repositories throughout your system, including file, log, and backup storage. For instance, how secure is your communications system and can you ensure private information cannot be leaked via email?
Where to Next?
- Learn about privacy and the Internet of Things
- If you are a manager, here is a checklist of what you need to confirm with your developers about how they handle customer data security
- Brush up on privacy regulations in the EU and U.S.
- Read up on the risks and benefits of data protection policy templates
- Read more about the GDPR on the Information Commissioner’s Office (ICO) The organization provides an easy-to-read guide and reference on GDPR for lay people and businesses.
Extraterritorial Scope of GDPR: Do Businesses Outside the EU Need to Comply?, Business Law Today
Privacy Impact Assessment, Privacy Commissioner of New Zealand
GDPR and the art of consent management, ITProPortal
The Twelve-Factor App, 12factor.net