GDPR-platform-sh-Data-protection-by-design-and-default-Data-breach-policy
Blog

Data protection by design and default

ivana
Ivana Kotur

If you’ve been following our GDPR blog series, you’ll start to understand that the future of privacy cannot rely only on laws and regulation, but rather privacy has to be a modus operandi for all organizations. If we compare an enterprise with all its operations as one tall structure composed of numerous components, privacy should form its foundation, its base. It would be too late to react only when an infringement happens because without a firm foundation, the whole structure would have already collapsed. It is necessary to be proactive and prevent bad things from happening in the first place. That’s why one of the GDPR compliance measures is data protection by design and default.

Privacy by design-first means data security, where your data access is strictly controlled on a need-to-know basis and it should never be transferred unencrypted or made accessible to everyone. It also means you need to design systems to collect and process as little private data as possible and take what is absolutely necessary as part of your service provision. Privacy by design also means making sure that it is possible to optimize your systems to add additional security systems later on.

Systems designed with privacy by design principles in mind must not collect data that is not required for providing services. So if you are designing systems for selling shoes, you don’t need to collect your customer’s biometric data, except maybe their shoe size.

You should also make it easy for your systems to delete private data that will no longer be used. For example, a Telecom company’s system would delete all private data - call logs, metadata, etc - after the legally mandated retention period when a customer cancels his or her account.

According to the GDPR, data protection by design and default means that the company needs to implement appropriate technical and organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed. Principles like data minimization and storage limitation play an important role here. Pseudonymization is also one of recognized techniques in data protection by design. By pseudonymization we mean taking a piece of private data and replacing it with something made up, a pseudonym. That way the data is still unique, but not tied to the real person. Furthermore, a well executed data protection impact assessment creates a great foundation for data protection by design and default.

Data protection policies, with proof of their implementation, are a good way to demonstrate compliance.

 

What is a policy?

Policies are documents that define the organization’s objectives and set principles on how, what, and when things should be done. They must be enforceable, concise, easy to understand, and balance protection with productivity.

How many times have you ticked the “I have read and agreed to the terms and conditions” box without really reading it? All the time, right? Most of us do that, because who wants to read long and boring legal talk? That’s why the privacy policy needs to be written in simple language that’s easy to understand and accessible to everyone. The Guardian for example, uses a video animation to describe its privacy policy.

The privacy policy that you should publish on your website presents an organization’s complete data protection policy. You should not process any personal data of a person without giving some key information about it (e.g. the categories of data you are collecting, how the data will be used and the possible transfer of personal data to third parties). Remember, processing needs to be fair.

Besides the privacy policy you should consider implementing the following policies as well:

  • Data access policy

  • Data breach policy

  • Data retention policy

  • Security policy

  • Password policy

  • GDPR policy (this mandates that your company complies with the GDPR)

In order for policies to be effective they should meet certain conditions and be implemented and supported according to each own processes and procedures. You therefore need to check the purpose of the policy and its scope, as well as define responsibilities and at least one objective and legal framework.

The universe around you will be changing so your business and the tools you use will also change therefore review your policies regularly to update them when necessary. Making sure you do not paint yourself into a corner is one of the key goals of implementing a well-thought and designed privacy approach. Herein also lies the value of having a DPO - a data protection officer, someone that owns these efforts over the long term.

 

Data breaches

Ok so we know how important it is to secure all personal data and the policies we should have in place but as the latest news of Sears and Delta, UK bank retailer TSB, and Uber show, unfortunately data breaches do happen.

The GDPR defines a personal data breach as a breach of security leading to the accidental and/or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.  

A data breach happens because an entity has been exposed to a threat and a vulnerability. As the EU GDPR: an implementation and compliance guide explains: “A threat without a vulnerability to exploit is no risk, and a vulnerability with no threat to exploit it is also not a risk. We need to have both in order for a data breach to occur.” A threat is an unwanted incident, that has potential to cause serious damage. Threat can be a cyber criminal, a malicious insider or an oblivious member of staff.

A personal data breach can include:

  • Access by an unauthorized third party

  • Deliberate or accidental action (or inaction) by a controller or processor

  • Sending personal data to an incorrect recipient

  • Computing devices containing personal data being lost or stolen

  • Alteration of personal data without permission

  • Loss of availability of personal data

So what should you do when you become aware of a data breach?

First, establish the likely risks to the rights and freedoms of the people impacted. If they are at risk then you need to notify the personal data breach to the supervisory authority within 72h. Otherwise, you do not have to report it, but you should be able to justify the decision, so keep detailed records of everything that happened. The controller therefore needs to document the effects of the personal data breach and the remedial actions to demonstrate compliance. You should also communicate the personal data breach to your customers and users without undue delay, in clear and plain language.

For example, a hospital has discovered a data breach, which resulted in all personal records of patients being stolen. As the personal records contain sensitive data, it is obvious that the impact will result in a risk to the rights and freedoms of people, therefore you must report it. On the other hand, a librarian accidentally erased all personal info of their members but since all the data can be restored from the backups, it is unlikely to result in a risk to the library members rights and freedoms, therefore it is not necessary to inform them about the breach.

In the case when you have to notify your local public authority that’s responsible for GDPR (Supervisory Authority) the notification should contain:

  • A description of the nature of the personal data breach

  • Categories of data and approximate number of records and the people affected

  • Contact details of the DPO

  • Likely consequences of the personal data breach

  • Descriptions of the measures that the controller has taken or proposed to be taken to address the personal data breach

A personal data breach can result not only cause material and physical damage to people, but also in emotional distress for victims affected. So, it is extremely important that data breaches haves been dealt with promptly and assess thoroughly in order to minimize the consequences to individuals.

For enterprises and organizations who want manage vulnerabilities and threats and mitigate the risk of threats effectively, you can understand why adopting a data privacy mindset by design and default will help put you in the right frame of mind. Thinking and putting in place the systems and policies to secure your information is a good way to start. This includes the interactions of people, processes and technology. I hope this post has started giving you ideas on the next steps you can take to make that happen in your company.

We will talk more about the risks and security of the data in our next blog post.