In the first of a 2-part installment, Hadi Hosn, Director of Cyber Security Solutions EMEA at SecureWorks, gets right to the heart of what privacy by design is and why businesses should take note
What is privacy by design?
One of the key changes due to be enforced under the General Data Protection Regulation (GDPR) when it goes live in May 2018, is the principle of data protection by design. GDPR introduces the concept of data protection by design, as a way to ensure data protection considerations in projects and processing decisions are not bolted on as an after-thought or ignored altogether and are instead considered form the start, in early stages of design.
The requirement was introduced as a way to eliminate insecure business processes, software and agreements with third parties that could jeopardise personal data and result in a data breach. The scope of data protection by design applies to:
- Building new IT systems for storing, accessing and processing personal data;
- Developing data protection or information security policies that have privacy implications, for example secure development lifecycle policies, third party security assurance, etc.;
- Agreeing with a new third party a data controller / data processor relationship;
- Setting up a new business process to handle personal data in scope of GDPR.
Let’s take an example of building a new IT system for storing, accessing and processing personal data. As a general theme and a current mode of operation, it is common to hear data protection and security teams across organisations struggle to integrate security controls into projects, software development lifecycles and business processing decisions early in the process.
Data Protection is usually an after-thought and there is typically a rush to secure a system or application before the deadline go-live data therefore reducing the value the data protection team can provide as they are not directly enabling the business.
With the principle of data protection by design, the new IT system development process is broken down into individual phases, and each phase will have data protection requirements integrated into the IT system. Typical system development lifecycles consist of the following phases:
Within each of the above phases, data protection requirements need to be integrated into the activities and processes to ensure the privacy by design principle is met. Below are the same development phases with the integration of data protection requirements.
- Establish data protection principles for the application / system
- Carry out a Data Protection Impact Assessment (DPIA)
- Establish design requirements which include data protection requirements and technical security requirements such as encryption and access management
- Analyse attack surface
- Carry out threat modeling
- Use approved development tools that will not expose the data to unauthorised access
- Eliminate or disable unsafe functions of the IT system
- Carry out static code testing and analysis
- Carry out dynamic code testing to identify bugs and vulnerabilities and address those immediately prior to release
- Review the attack surface analysis
- Define incident response plan / breach notification plan which includes the collection of necessary information to inform the regulator of a breach within 72 hours (or extend the existing incident response plan to cover this new IT system)
- Train relevant stakeholders on the incident response plan to ensure they are aware of their responsibilities
- Carry out final security review of the IT system using an approved method, as an example penetration testing the IT system or application
- Execute the incident response plan in the event of a data breach
The Privacy by Design framework employs an approach that is characterized by proactive rather than reactive measures. The core concept is to anticipate and prevent data breaches before they happen.
The current EU Data Protection Directive does not have any requirement or obligation that states privacy should be an important consideration at the design stage of any projects. However, the Directive requires data controllers to implement appropriate technical and governance measures to protect personal data against unlawful processing.
Some organisations have established mature data privacy and protection by design principles to align to the existing Directive’s requirements. The difference is now, all organisations in scope of GDPR will need to implement appropriate technical and governance measures to ensure that privacy and the protection of data is no longer an after-thought and is considered throughout the project.
Also of interest: Pharmaceutical industry and GDPR
Why does is it matter?
The ideas behind data protection by design have been pitched by Security and Data Protection teams to business stakeholders and IT development teams for years and the regulation is bringing these concepts to life. The reason it matters is the return on investment of considering security and data protection early in the design phase.
There is less risk of changing the system or process considerably after it is implemented due to some security vulnerabilities, it does not require a large investment in security testing and security architecture consulting due to the fact security and data protection specialists have been involved in the design and therefore have considered good practice architecture and data protection controls, and overall minimising the risk of a data breach and the penalties associated with that.
To summarise the reasons why this is important:
- Security issues and vulnerabilities are identified early in the process and are immediately addressed or fixed
- Increased awareness across the business teams and technical development IT teams on the importance of including data protection by design
- The organisation is more likely to meet the requirements of GDPR, and reduce the risk of a personal data breach
Also of interest: Why IT education in schools is failing