Implementing the 7 principles of privacy by design is perhaps the most important step for companies looking to comply with GDPR and other privacy laws but can also be the most challenging. Privacy laws are high level when it comes to implementation guidelines and non prescriptive in what technologies or processes to use. It’s therefore important to have a detailed approach to compliance founded in best practice. Here are a couple of guidelines to make sure you’re on track.
What encryption should I use for privacy by design Controls?
Encryption is a universal requirement for privacy by design objectives, an important thing to remember is using the latest standards. For example wireless encryption standards have moved to WPA3, while TLS v1.3 has replaced earlier versions of transport layer security. For data at rest, ensuring that the latest TDE version is used on Azure SQL databases or Oracle database is equally important. Vendor management platforms like Azure Sentinel and vulnerability scanners like Acunetix should be leveraged to keep an eye on encrpytion levels accross the enterprise as regulators will expect due diligence when keeping encryption up to date. Automated key management systems such as TKLM for IBM Tape libraries, AWS KMS and Azure key vault should always be used over manual methods. The overhead factor of manual management creates a vulnerability when keys are stored outside a secure system and are not rotated.
How do I achieve transparency in processing?
The primary method for achieving transparency is through online notices to consumers. GDPR requires that consumers must be informed of what personal data is being used, who it’s share with, why it’s being processed, how long it’s needed and the legal basis for collection. See our Sample Online Policy for our example. Giving consumers over how their data is processed supports the transparency requirement and is increasing automated through consent management platorms (CMP’s). These platforms facilitate consent preferences being honored across multiple channels. In practice, this could mean that a customer opts out of any kind of sharing their data on a business website and their decision would be respected across email and subscriptions to social media accounts.
What privacy access controls should I use?
Access controls are a key method of segmenting networks and restricting access to authorized personnel. The precursor to successful access controls is network and application documentation. Interface points between where personal data lives and non personal data needs to be delineated. Application and database level access controls should be managed at at a very granular for privileged access to personal data. In addition to the normal security groups, network access lists on switches, firewall rules, mac filtering and so on, there should be also a focus on API security. SOAP and REST have different implementation of security but need to be considered in most enterprise environments. Techtarget does excellent coverage of API security and their requirements. Logging of API calls supported by traffic rate limiting and TLS encryption are a key element of API security.
How do I keep up to date on privacy risks?
Knowing where to monitor privacy risks is an important part of keeping on top of potential problems. Every year privacy reports and lists of violations are issued by EU data protection authorities such as the Irish DPC and the UK ICO along with incidents from ENISA (European CSIRT) and cybercrime reports from Verizon, FBI-IC3 and the Ponemon Institute to name a few.
From a application perspective OWASP’s Top 10 privacy risks and countermeasures combined with the aforementioned Techtarget link in the previous secction.are important guides for devops teams in the secure development process.
How do I enforce data minimization?
Research has shown that conducting the same old slide decks and box-ticking approach to training leads to apathy among staff and general level of dis-engagement. This apathy is not shared by cyber-criminals who anticipate this level of apathy and exploit organisations with ransomware and phishing scams.
It may sound obvious, but different areas have different privacy needs and designing training programs should account for different risk profiles. For example, general staff training should address risks such as removable media risks, emailing confidential material and phishing risks for example, however web developers will need to know about principles of data minimisation, anonymisation of data, service encryption, access controls when designing software controls.
The same would apply to marketing staff, who need to be educated on opting-in, data subject rights, due diligence with email and physical media distributions etc.
Many off the shelf, training solution providers adopt a one size fits all and only make micro-adjustments in training from year to year which do very little to help the situation. Therefore make sure that training follows a proven learning (instructional design) model and much more scenario and goal oriented.
Protecting your investment in business, people and technology demands a structure approached to designing a data privacy program. Gaining management support is the first port of call before any implementation and requires a business hat rather than a technical one. Once the support is established and funded, the business of designing controls in development, hiring the right talent, identifying privacy risks and targeted training can commence and be sustained.
The future of data privacy regulations is likely to be one of greater enforcement, rule refinements and updates and more spinoff regulations as we saw with the California Consumer Protection Act (CCPA) and the new ADPPA (American Data Privacy Protection Act).
As the privacy principles tell us, moving to being more proactive than reactive and leveraging automation are keys to success!
Read our related article 10 Steps to designing the right data protection program
Visit our SHOP to see our training materials
Your Content Goes Here
Subscribe to our Newsletter
-Get Notified of New Posts Like These-
Guide to Performing a Privacy Impact Assessment
Privacy impact assessments are required under GDPR Art.35 and US State privacy laws. Learn the steps required for a PIA and download our template.
CTDPA – What to expect with Connecticuts new Data Privacy Law
CTDPA comes into effect in July 2023 and introduces a series of changes for Connecticut businesses when handling customer personal data.
Five Key Steps to Privacy by Design
Data privacy law requires that controllers and processors implement the 7 principles of privacy by design in their environment, these are some key steps in that process.
Electronic Health Records – What are they and how to protect them
Last year 46 million medical records were stolen in the US in over 500 recorded incidents. In this article we look at what they are, what the regulations are and how to protect them,
What are the Key Qualities of a Good Data Protection Officer!
What are the key qualities of a good data protection officer and what to look for in the hiring process, read our tips here.
What Data Privacy Changes to Expect in 2023
What data privacy changes to expect in 2023. We examine some important changes in legal and technical due to come into effect.
What is the Electronic Privacy Regulation
In this article I talk about the new electronic privacy regulation (ePR) which will replace the ePrivacy directive of 2002/09
CPRA : The Dawn of a stricter privacy regime!
In this article, our senior legal analyst Aparna discusses the changes to California Privacy Law with it's new CPRA act of 2020.
Trends in GDPR in 9 Slides
Click/Touch to navigate through slides