The GDPR dictates that organisations ‘implement appropriate technical and organisational measures’ to ‘ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services’. It also mandates that data protection measures be implemented ‘by design and by default’. It’s apparent that privacy and data protection must be rooted in every part of information technology and IT infrastructure for this to be achieved.
Privacy by design has been an encouraged best practice for a long time; however, it’s only been practised by some. It’s taken the enforcement of the GDPR, making it a legal obligation, for many others to take it seriously and make it happen.
Privacy by design focuses on embedding privacy protection measures throughout information technology infrastructure including the design, development, build and running for software, products, processes and services to ensure personal data processed by these means is protected, and the risk to the data subject is significantly reduced.
Following these 7 principles ensures privacy by design at the forefront and by default
- Incorporate proactive and preventative measures
Proactive data protection and privacy measures trump reactive measures when it comes to privacy by design. Organisations need to anticipate the risks to privacy, anticipate the types of incidents and types of attacks and ensure preventative measures are put in place and are built into the design process from the get-go. DPIAs play an essential role in providing security and privacy compliance is both measured and addressed at the initial stages of design and development whenever personal data is to be processed.
Privacy and security by design aim to ensure that incidents and risks are pre-empted and procedures put in place during the design process to create more compliant products and services to protect the privacy of consumers and their personal data.
- Secure by default
All new processes, products and even features should be secure by default (not insecure by default) as a standard requirement. This means that privacy by default is maintained right from the start. Consumers should not have to jump through hoops to secure a service or a product, but instead, have the visibility and control to make informed decisions with regards to the security they need, and if anything, reduce the level of security of a product or service if required. It should be an informed choice that they would have to make.
So, security and privacy features should be at their strongest by default, and with the proper insight, consumers can make configurational changes to suit their requirements. Components, products and services must be robustly secure out of the box-All of the time!
- Embedded security
Security and privacy by design should be entrenched in an organisations culture, thought process, design process, build process and ultimately business practices as a whole. Nothing should commence without meeting integrated security and privacy by design fundamentals so that all processes respect data privacy and security.
- Usability and security
Yes, you can have the one, as well as the other… and simultaneously. It’s often thought that a user-friendly product or service will have insufficient security or that security always comes at the cost of usability. Ultimately a product or service that is designed and built to be both usable and secure from the start will be more secure. If it’s difficult to use consumers will bypass security for better user experience.
Designing a product or service to be usable and at the same time secure can help to satisfy all business objectives. Privacy is ensured, and efficiency is not impacted. Ultimately, user-friendliness equates to stronger security.
- Privacy and security for the entire data lifecycle
Data protection must be for the data’s entire lifecycle. Data flows. Data has no boundaries. Data changes. Protection measures must be able to follow data and adapt with data so that the data in protected end-to-end, from when it is created, throughout processing and its journey. Whenever and wherever it travels or rests. Protection systems must be designed with this in mind.
- Visibility and transparency
Transparency of security, privacy and control are essential to assure the consumer that confidentially, availability and integrity of data is always ensured and maintained in practice. This needs to be part of the design and build plan so that users have a comprehensive understanding of the technical and organisational measures implemented throughout processes to protect their personal information. With this level of transparency, consumers are able to make informed decisions on whether they want to use a product or service or how best to use it relative to their risk tolerance levels.
- User privacy as a central priority
It’s vital to acknowledge that user privacy is critical and ensure this message resonates throughout the organisation. It should be integral to the business culture. From the top down, the importance of user privacy must be encouraged, throughout all business practices and ensure that everyone respects this. Ensure that you design and build in the necessary controls to enable consumers to enforce their privacy requirements and the level of protection that they require. Flexibility ensures that users can provide privacy and data protection for varied conditions and environments to support unique and individual security requirements better.
Realise the benefits of privacy by design…Galaxkey do!
Galaxkey understands the connection between a strong privacy culture and its ability to deliver business objectives. Galaxkey has been shaped with privacy and security at its forefront, and these 7 principles are pivotal in the creation of the data protection and data management solutions that we provide.
Privacy and security by design and by default are embedded throughout Galaxkey’s culture, our IT infrastructure, our processes and solutions so that Galaxkey can ensure practical solutions with robust security. It did not take the enforcement of the GDPR for Galaxkey to react. For Galaxkey, security and privacy by design have always been implemented best practice.
However, the requirement for privacy by design and by default is a crucial GDPR prerequisite that’s helping organisations to tackle previously overlooked (or ignored) security gaps head-on.
Privacy and data protection now dictate how organisations build products, develop software and operate IT services. This is necessary. As technologies advance and become even more integral to all aspects of our lives throughout industries. Including defence, medical, finance, utilities and so on, any unsecured component of our IT infrastructure used to build and run products and services that we depend on, could result in catastrophic impacts on, not only, our privacy but our physical safety if things go wrong.