Information security / Privacy by design and how to do it well
Privacy by design and how to do it well
20 March 2018
In the second of a 2-part installment, Hadi Hosn, Director of Cyber Security Solutions EMEA at SecureWorks, sets out strategies for integrating privacy by design into processes and applications.
What should businesses think about when creating processes or apps?
When it comes to integrating privacy by design into new processes and applications the business needs to involve data protection representatives early in the process to ensure data protection and security requirements are defined and integrated into the project.
Some of the key data protection considerations businesses should think about revolve around the following 6 domains:
- Governance & Oversight: ensuring the right data protection clauses are in place with third parties acting as data processors in the new application or process.
- People: Ensuring all staff members who may handle personal data in the course of their duties are adequately trained. This will avoid potentially costly and damaging legal action being taken should someone’s data be mishandled. Defining roles and responsibilities for handling data breaches and collecting information that will be shared with the regulator in the event of a breach.
- Process: defining data handling processes and data breach notification processes in line with GDPR requirements. Sharing the processes with the teams handling the data on a daily basis to ensure they are followed and measured.
- Communication: defining the communication plan and mechanisms, including who is responsible for communicating with customers and regulators and when this communication is required.
- Data: ensuring data is only kept for as long as required by the business. Covering data discovery, data lifecycle and documentation of data flows.
- Security: ensuring the security teams are involved in the design phase of the project to implement and integrate the necessary controls to protect the personal data.
Also of interest: 9 surprising things that are illegal under GDPR
What steps should businesses implement for privacy by design by default?
One of the key activities businesses should implement for data protection by design is the Data Protection Impact Assessment (DPIA) methodology and approach.
The DPIA is a risk assessment framework with a data protection and privacy focus. It is required for all new IT systems, third parties, business processes, teams and activities organisations build to process or handle personal data in scope of GDPR. By carrying out a DPIA, the data protection representatives can identify the data protection risks in a new system or project, and define mitigating plans to minimise those risks to an acceptable level. It can also be used to design more efficient and effective processes for handling personal data.
The steps required to complete a full DPIA include:
Step 1 – identify if a DPIA is needed:
As a starting point, the organisation needs to answer some screening questions to identify if a project has potential impact on data protection and privacy. Questions include:
- Are new technologies going to be implemented by the project to process personal data in scope of GDPR?
- Will the project involve automated data processing and decision making or profiling?
- Is a large volume of personal data being processed or planned to be processed by the project?
- Is data being transferred outside the EU?
- Will personal data be processed in ways which individuals might not reasonably expect?
Step 2 – complete the DPIA template for the project
The DPIA will cover the following domains which should be facilitated by the data protection representative and completed by the project teams.
- Personal Data workflow specifics
- Description of processing
- Information owner / risk owner
- Is the organisation a data controller or data processor?
- How is the data collected?
- Details of the systems containing personal data
- Who has access to the data?
- Is the data shared with third parties or other teams?
- Approximate volume of data processed
- Types of data (name, address, DOB, etc.)
- Threats and Risks
- What could happen as a result of a failure of the process ?
- What are the vulnerabilities / weaknesses in the system / process?
- What is the likelihood of the threat?
- What is the impact to the organisation?
- Risk Mitigation Recommendations
- What actions can the organisation implement to reduce the threats and risks identified?
- Who owns the action?
- When does the action need to be completed by?
- Document the findings and recommendations
- Feed the results into the solution
Step 3 – Regularly review the actions and owners
Conduct regular reviews of the actions documented in the DPIA and ensure owners are completing their responsibilities. Also review the risks and overall risk profile is still within acceptable risk tolerance for the organisation.
Also of interest: Welcome to society 5.0; integrating man and machine