The currently valid piece of legislation – the Data Protection Directive – does not make any requirements regarding ‘privacy by design’ or similar. The GDPR, however, does. The aim is very simple: The best way to ensure there are no data breaches and privacy violations is to ensure that data is properly handled from the get-go. The old proverb ‘An ounce of protection is worth a pound of cure’ very aptly describes the underlying principles behind the GDPR.
Ensuring the safety of data is one of the main obligations of most organisations that collect and process the individuals’ personal data (data collectors and processors, respectively). Thus, the protection of personal data begins from the moment it is collected instead of being an afterthought. This afterthought would often result in catastrophic consequences, of course, but short-sighted decisions are very common.
The lawmakers recognized this and adopted a carrot-and-stick approach. The looming threat of huge fines should be enough incentive for organisations to invest in establishing systems of good practice, and it should cost them much less than having to pay an exorbitant fine that can go up to EUR 20 million or 4 percent of one’s global annual turnover, whichever is greater.
What Privacy by Design Entails
Within the GDPR, data security and privacy go hand-in-hand. There are no direct references to privacy-enhancing technologies in the GDPR, but encryptions and pseudonymisation are featured very prominently in the Regulation. Furthermore, the main guideline of the GDPR is the so-called data minimisation. This principle means that an organisation should always have on hand as little data as possible on its users (or other individuals), only to an extent that is necessary for the provision of services (legally speaking, contracts) but not more than that. In fact, data that is not necessary should be destroyed at once.
Article 25(2) of the GDPR specifically states that one’s personal data cannot be made accessible to other natural persons without the individual’s intervention. This mostly applies to social networks who must ensure this does not occur.
The processing should also be minimal and only as required. The accessibility of data to others should also be minimal. All this requires the implementation of extensive technical and organisational measures. Else, how would the employees know what data is and what is not important?
It is prudent to redesign certain processes with this minimalistic viewpoint in mind. Revise your forms and questionnaires: are you requiring more data than necessary? If yes, this could be an issue. Do you automatically delete old, unnecessary data? Do you use the data for purposes other than explicitly agreed upon by the individual? If yes, these are grave violations of the GDPR provisions.
Internal Security Measures
The GDPR itself makes a few mentions of certain measures that can be taken to ensure the security and privacy of data. Along with the pseudonymisation and encryption mentioned above, transparency and monitoring of data processing also play an important role.
Basically, an internal data protection system is required. Most of the time, this will include some sort of automation, but the employees of an organisation should be trained to perform privacy impact assessments. A Data Protection Officer, mandatory in organisations that regularly process personal data, is naturally one of the key factors in the establishment of a PIA system.
The evaluation of privacy impact should begin even before the product (a new service, for example) is implemented. Its potential risks should be evaluated with all the stakeholders and any privacy-related issues should be discussed immediately. External consultations with certified experts can help steer the project towards the proper data security design even before it begins, bestowing upon it huge cost and time savings afterwards.
Not all data is the same, though, and a risk assessment system can take into account the potential effects a data breach would have on the individual whose data has been lost. The approach to data security is much different when dealing with data regarding one’s health or very intimate issues, as opposed to one’s name or address – all publicly available data. Obviously, the former requires much tighter data protection standards. Data is generally categorised in four types of impact. Low-impact data is only of minor annoyance if lost. Medium and high impact data breaches are more serious, while breaches of severe level of impact may cause severe harm to a person. Since the stakes are high, that is why certification and proper education are stressed – to help the employees make informed decisions.
Generally, a matrix-style assessment is employed, taking into account two variables – severity and threat occurrence probability. The more severe the data is, and the more risk there is that the data could be compromised, the more stringent the safeguards have to be. This is called a risk-based approach.
Highly sensitive personal data are always considered as highly risky, regardless of probability that it could be breached. Regardless of severity, all roles and responsibilities for the processing of data should be defined and clearly allocated. Access controls should be implemented, again depending on the risk the data poses. For highly sensitive data, non-disclosure agreements could be required. Every organisation should introduce access controls.
There are additional best-practice suggestions concerning storage and destruction of data. Highly sensitive data should never be stored on online computers and the storage medium should be physically destroyed after cessation of processing.
Portability and Certifications
Taking all this into account, data controllers also must ensure that the customers have the right to object and the right to data portability. The established security framework should allow for an easy creation of personal data profile for transfer to another service provider without compromising on safety.
Ensure you perform regular testing to verify that the appropriate measures are indeed being taken. Various certifications are available that help companies ensure they are properly performing their obligations. In fact, Article 25(3) specifically singles out certifications as a means of ensuring compliance with its provisions. The possession of such certificates should represent a good-faith effort even if violations occur, which could in turn result in much lower fines and punishments than what would otherwise be the case.
You should always be ready to provide documentation of your practices and frameworks when asked to do so.
Privacy By Design: Worth the Effort
The new provisions the GDPR brings seem daunting, but the efforts will certainly pay off both for the individuals and for the companies. The individuals will enjoy better data protection, while companies will be shielded to a large extent from embarrassment and damage resulting from negligent handling of personal data. Whether due to voluntary compliance or the threat of steep fines, the GDPR looks very promising in this regard and after a few hiccups in the transitionary period, we expect these provisions will have nothing but positive effects in the long term.