Privacy and Security by Design has been a best-practice development approach for years, but unfortunately, it has not been consistently adopted as a fundamental industry standard. In fact, the lack of standardization surrounding data privacy practices has forced the European Union to implement the General Data Protection Regulation (GDPR) for any company that handles information from EU citizens. GDPR makes Privacy and Security by Design a critical requirement, as companies can face severe penalties and fines if found in noncompliance.
The best way that organizations can prepare for the age of GDPR is to ensure that privacy requirements are directly addressed in every step of the software development process, from brainstorming through release. For those uncertain about how to start, here are a few helpful steps.
After appointing a dedicated Data Protection Officer, data map creation is the next step.This can be assisted by technical controls through asset management, such as data classification, data labeling, database management, and access management. Such measures allow organizations to determine exactly where their data resides, how it is being processed, and how that data is accessed.
Next is the necessity for continuous monitoring of access control and database access, which is a process that must be expressly designed and implemented. Large organizations, in particular, can benefit from feeding comprehensive logs into a Security Information and Event Management (SIEM) system, which centralizes critical data into a hierarchical structure. The SIEM must be configured to store, protect, analyze, and send real-time messages based on key triggers for specific events and incidents.
Organizations also need to identify what data must be kept, and account for data subject rights like consent and the right to be forgotten, as well as ensure defensible reasons for retaining privacy data. After this, it’s about putting together a strategic array of technical controls that act as security measures, including (but not limited to) cryptographic control for data at rest and data in transit protection, and network and database segmentation. These should follow a risk-based approach, and be tailored to the real business needs and use cases of the organization.
Finally — and most importantly — organizations should always prepare for the worst. This includes detecting, recording, tracking, and reporting all privacy data complaint, incident, and breach events in a timely fashion.
GDPR will drive a paradigm shift in the worlds of information technology and information systems. It’s a sign of the changing times, and the new trends towards law makers increasing their reach into the technology domain. Technologists must start to design, develop, and deploy systems with privacy in mind from the start, as an integral part of the product or service. Organizations should take care to thoroughly research and understand the implications of privacy, and implement a risk-based approach to deliver the embedded and integrated security controls that will lead to the “Privacy and Security by Design” requirements of new regulations and legislation like GDPR.
For further reading check out this infographic on preparing for GDPR in the enterprise.