5 Key Steps to Achieving Data Privacy by Design & Default
Most companies struggle to implement the 7 principles of privacy by design for a number of reasons. Among the challenges are the problems of interpreting the principles and applying technical and process solutions. This is amplified by several contributory challenges including;
- A global shortfall in privacy and security skilled personnel
- Increasing complexity in technology landscapes &
- Regional regulatory variations which are sometimes incompatible
With these problems in mind, well designed processes which are repeatable, documented and technically aligned with privacy objectives will go along way to solving the challenges presented by data privacy by design and default. In the next sections we’ll take a look at 5 key steps to developing your data privacy program in various areas.
Step 1: Management Buy-in
Gaining management buy-in is not an exclusive pursuit to running data privacy programs but privacy can sometimes be a little harder sell in that it’s hard to quantify benefits, it costs money and is complex as it combines technology and legal concepts..
It’s often helpful to talk about the origins of the phrase “Data Privacy by Design (PbD) and Default” which was developed by a Canadian Information Commissioner Ann Cavoukian as the de-facto framework to embed privacy into systems design, processes and planning. These principles are documented Here. Executive management has a reasonable right to expect that money and effort being spent is underpinned by an industry standard such as Cavoukian’s data privacy by design work.
It’s good to reference privacy frameworks such as ISO 27701:PIMS and NIST aswell as OWASP’s top 10 Privacy risks are also a good resource to supplement your bargaining power with management.
Similar to security, a high level privacy risk assessment should be done on key systems in the enterprise to demonstrate the importance of implementing PbD controls. These results could be compiled into a management report to that all important buy-in.
Step 2: Privacy as an End to End Process in Development
Whether you outsource or in-source application development, or you operate a traditional SDLC or an Agile development approach. Data privacy controls and reviews must not be a one-off engagement by security and privacy teams and the advice that is given, must be consistent and documented.
Too often we hear developers legitimately complain about inconsistent advice or minimal involvement in the development process by security and privacy personnel or worse completely different advice across from said personnel.
My advice is, stay on a common message across team members, document pre-approved privacy controls for certain types of services and adopt specific privacy enhancing technologies PETs and stick with them.
Consider also the integrations into change management systems. Change control approval should mandate consideration for privacy related controls before implementation of change, particularly in the application space.
Step 3: Hire the Right Talent
In the seven principles, one of the tenets makes mention of a zero-sum functionality where “Privacy by Design avoids the pretense of false dichotomies, such as privacy vs. security, demonstrating that it is indeed possible to have both”. This goes to the idea that if you hire a data protection officer, the person that fills this role should compliment your security team and not live in isolation.
Many organisations see their compliance personnel silo’d away from the security function and vice versa but this won’t work with a pivotal compliance role like a data protection officer. The right candidate must have cyber security fluency along with legal proficiency, good communication skills and of course experience to back it up.
The right candidate should be able to cite the information sources where they stay up to date in the regulatory space and not just the occasional google search. Ideally twitter follows of data protection authorities, ECJ, ICO, DPC and industry influencers (Max Schrems).
The should also be familiar with examples of case history in terms of what the data protection authorities are reporting on, annually. Not easy to find, but whether you up-skill internally or outsource, the same requirements apply.
Step 4: Know the Privacy Risks
Knowing the privacy risks is dependent on “Hiring the Right Talent” above, hence the order here is important. Every year privacy reports and lists of violations are issued by EU data protection authorities such as the Irish DPC and the UK ICO along with incidents from ENISA (European CSIRT) and cybercrime reports from Verizon, FBI-IC3 and the Ponemon Institute to name a few.
Collectively the message is that you have to know what the greatest threats to data are, and action appropriate responses in your internal processes and procedures. For instance, national data privacy regulators regularly on DSAR’s (Data Subject Access Requests) not being actioned timely, challenges to CCTV monitoring and distributing PII (Personally Identifiable Information) to the wrong email or home address recipients. These recurring complaints are avoidable with proper supervisory controls but knowing the risks is the first step to designing mitigating controls.
GDPR makes a lot of mention to the nebulous term ‘appropriate safeguards” and some mention to data anonymisation and encryption but in reality the efforts to protect data are closer to the controls needed for a full ISMS program.
Step 5: Targeted Training
Research has shown that conducting the same old slide decks and box-ticking approach to training leads to apathy among staff and general level of dis-engagement. This apathy is not shared by cyber-criminals who anticipate this level of apathy and exploit organisations with ransomware and phishing scams.
It may sound obvious, but different areas have different privacy needs and designing training programs should account for different risk profiles. For example, general staff training should address risks such as removable media risks, emailing confidential material and phishing risks for example, however web developers will need to know about principles of data minimisation, anonymisation of data, service encryption, access controls when designing software controls.
The same would apply to marketing staff, who need to be educated on opting-in, data subject rights, due diligence with email and physical media distributions etc.
Many off the shelf, training solution providers adopt a one size fits all and only make micro-adjustments in training from year to year which do very little to help the situation. Therefore make sure that training follows a proven learning (instructional design) model and much more scenario and goal oriented.
Protecting your investment in business, people and technology demands a structure approached to designing a data privacy program. Gaining management support is the first port of call before any implementation and requires a business hat rather than a technical one. Once the support is established and funded, the business of designing controls in development, hiring the right talent, identifying privacy risks and targeted training can commence and be sustained.
The future of data privacy regulations is likely to be one of greater enforcement, rule refinements and updates and more spinoff regulations as we saw with the California Consumer Protection Act (CCPA) and the new ADPPA (American Data Privacy Protection Act).
As the privacy principles tell us, moving to being more proactive than reactive and leveraging automation are keys to success!
Visit our SHOP to see our training materials