Data protection by design and default
If you’ve been following our GDPR blog series, you’ll start to understand that the future of privacy cannot rely only on laws and regulation, but rather privacy has to be a modus operandi for all organizations. If we compare an enterprise with all its operations as one tall structure composed of numerous components, privacy should form its foundation, its base. It would be too late to react only when an infringement happens because without a firm foundation, the whole structure would have already collapsed. It is necessary to be proactive and prevent bad things from happening in the first place. That’s why one of the GDPR compliance measures is data protection by design and default.
Privacy by design-first means data security, where your data access is strictly controlled on a need-to-know basis and it should never be transferred unencrypted or made accessible to everyone. It also means you need to design systems to collect and process as little private data as possible and take what is absolutely necessary as part of your service provision. Privacy by design also means making sure that it is possible to optimize your systems to add additional security systems later on.
Systems designed with privacy by design principles in mind must not collect data that is not required for providing services. So if you are designing systems for selling shoes, you don’t need to collect your customer’s biometric data, except maybe their shoe size.
You should also make it easy for your systems to delete private data that will no longer be used. For example, a Telecom company’s system would delete all private data - call logs, metadata, etc - after the legally mandated retention period when a customer cancels his or her account.
According to the GDPR, data protection by design and default means that the company needs to implement appropriate technical and organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed. Principles like data minimization and storage limitation play an important role here. Pseudonymization is also one of recognized techniques in data protection by design. By pseudonymization we mean taking a piece of private data and replacing it with something made up, a pseudonym. That way the data is still unique, but not tied to the real person. Furthermore, a well executed data protection impact assessment creates a great foundation for data protection by design and default.
Data protection policies, with proof of their implementation, are a good way to demonstrate compliance.
What is a policy?
Policies are documents that define the organization’s objectives and set principles on how, what, and when things should be done. They must be enforceable, concise, easy to understand, and balance protection with productivity.
Data access policy
Data breach policy
Data retention policy
GDPR policy (this mandates that your company complies with the GDPR)
In order for policies to be effective they should meet certain conditions and be implemented and supported according to each own processes and procedures. You therefore need to check the purpose of the policy and its scope, as well as define responsibilities and at least one objective and legal framework.
The universe around you will be changing so your business and the tools you use will also change therefore review your policies regularly to update them when necessary. Making sure you do not paint yourself into a corner is one of the key goals of implementing a well-thought and designed privacy approach. Herein also lies the value of having a DPO - a data protection officer, someone that owns these efforts over the long term.
Ok so we know how important it is to secure all personal data and the policies we should have in place but as the latest news of Sears and Delta, UK bank retailer TSB, and Uber show, unfortunately data breaches do happen.
The GDPR defines a personal data breach as a breach of security leading to the accidental and/or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
A data breach happens because an entity has been exposed to a threat and a vulnerability. As the EU GDPR: an implementation and compliance guide explains: “A threat without a vulnerability to exploit is no risk, and a vulnerability with no threat to exploit it is also not a risk. We need to have both in order for a data breach to occur.” A threat is an unwanted incident, that has potential to cause serious damage. Threat can be a cyber criminal, a malicious insider or an oblivious member of staff.
Access by an unauthorized third party
Deliberate or accidental action (or inaction) by a controller or processor
Sending personal data to an incorrect recipient
Computing devices containing personal data being lost or stolen
Alteration of personal data without permission
Loss of availability of personal data
So what should you do when you become aware of a data breach?
First, establish the likely risks to the rights and freedoms of the people impacted. If they are at risk then you need to notify the personal data breach to the supervisory authority within 72h. Otherwise, you do not have to report it, but you should be able to justify the decision, so keep detailed records of everything that happened. The controller therefore needs to document the effects of the personal data breach and the remedial actions to demonstrate compliance. You should also communicate the personal data breach to your customers and users without undue delay, in clear and plain language.
For example, a hospital has discovered a data breach, which resulted in all personal records of patients being stolen. As the personal records contain sensitive data, it is obvious that the impact will result in a risk to the rights and freedoms of people, therefore you must report it. On the other hand, a librarian accidentally erased all personal info of their members but since all the data can be restored from the backups, it is unlikely to result in a risk to the library members rights and freedoms, therefore it is not necessary to inform them about the breach.
In the case when you have to notify your local public authority that’s responsible for GDPR (Supervisory Authority) the notification should contain:
A description of the nature of the personal data breach
Categories of data and approximate number of records and the people affected
Contact details of the DPO
Likely consequences of the personal data breach
Descriptions of the measures that the controller has taken or proposed to be taken to address the personal data breach
A personal data breach can result not only cause material and physical damage to people, but also in emotional distress for victims affected. So, it is extremely important that data breaches haves been dealt with promptly and assess thoroughly in order to minimize the consequences to individuals.
For enterprises and organizations who want manage vulnerabilities and threats and mitigate the risk of threats effectively, you can understand why adopting a data privacy mindset by design and default will help put you in the right frame of mind. Thinking and putting in place the systems and policies to secure your information is a good way to start. This includes the interactions of people, processes and technology. I hope this post has started giving you ideas on the next steps you can take to make that happen in your company.
We will talk more about the risks and security of the data in our next blog post.