Much more than a best practice, the practice of Privacy and Security by Design and by default is now also a legal requirement for many organizations. While the EU General Data Protection Regulation (GDPR) is the first to delineate Privacy by Design as a legal obligation, it’s certainly not a new concept in data protection. The GDPR requires not only privacy and security by design, but also by default. So this means that what was formerly considered to be a best practice will now be a mandate – and one that will need to be operationally demonstrable.
Privacy and Security by Design: Your Foundation
Traditionally, there has been a perception that privacy is where IT goes to die, and that security leads with “no.” Whether deserved or not, this is not an effective way to build a collaborative team. Instead, it’s important for security and privacy officers, as well as general counsel, to take steps to establish privacy as a foundational tenant of their development life cycles. Privacy must be embedded in every step of the process – from the whiteboard stage of a new IT project, program, system, or campaign, through the design, development, quality assurance, and release of the very same system.
This means that privacy and data protection officers must partner with their IT and business colleagues internally to gain key executive sponsorship and cooperation with their lines of business. Privacy by Design creates a much needed connection among the CPO, CISO, IT, and CIO.
However, the reality is that privacy program offices are typically only a small fraction within very large organizations. They are tasked with ensuring compliance to many different standards for management of sensitive information internally and externally. They simply cannot be in every meeting and discussion in which a new IT system, program, or campaign is being contemplated. Instead, what they can do is develop a framework that can be used by IT to incorporate privacy best practices by design and by default within their programs and systems across the organization.
Putting Privacy and Security by Design into Action
So how can this work operationally? Anyone who has been a part of designing a home or building anything understands that it is always better to get your plans right in the beginning. Change orders can become expensive! Implement a standardized and repeatable process with your colleagues in IT and the business so they come to you as a project begins – not when they’re ready to go live. This way, you will be able to provide advice, guidance, and review at every step of the process.
Consider using automation. Allow your colleagues to request a privacy impact assessment of the systems they are planning to build and deploy so you can provide them with reasonable estimates and timelines. Your involvement early on will save them from having to make last minute design changes or rushed decisions.
Through this programmatic approach and implementing privacy design automation, privacy program managers and data protection officers can then develop a service level agreement (SLA) with their colleagues in IT and the business.
What would this look like in practice?
The business creates a new mandatory procedure that requires that all new IT systems, programs, campaigns, or processes must go through a quick and automated approval process before moving forward. This would be required for all departments, so whether a program, concept, or idea was born in central IT, marketing, or at the business unit level, this process would be applicable.
Using a registration system or tool like the AvePoint Privacy Impact Assessment (APIA) System, the sponsor of the new system submits the idea and is prompted to answer a brief series of privacy and security questions about the system. The questions might be about the goal of the project, lifecycle of the project, cost, or branding.
For example, the key questions could be centered around whether this initiative would include personally identifiable information (PII) or sensitive PII of any kind. If the answer is no, then no further action would be required. You do have the option to validate (again through automation) that no PII was in fact being used through the system. This is fairly simple to do through automated scanning, and could even be done through regular reviews and audits.
If the answer is yes this program will involve PII, the next steps simply flow from there. At this point, the privacy, data protection, and security teams should have a built in iterative review process and feedback loop. This will recommend appropriate procedures and technical controls to ensure that the sensitive data was only made available to people that should have it – protecting it from those who should not.
Additionally, by having this information at the beginning of a project, important data lifecycle management provisions can also be built in to ensure that data is retained for only as long as necessary. Where appropriate, automation can help appropriately archive or destroy data at the end of a program to minimize exposure and risk to the business. In this model, you should build privacy, data protection, and security checkpoints into the regular rhythm of this entire process – from concept stage, development, testing, go-live, production, and end of life. As a mandatory element of any new program (or review of an existing one) Privacy by Design and by default now becomes the standard – not an additional burden.
Privacy and Security by Design and by Default
This standardized and repeatable process ensures that IT and the business understand and “bake in” the appropriate privacy and data protection controls as a project begins, rather than only considering privacy as a checkbox exercise. This enables not only privacy and data protection teams, but also security teams to help provide advice, guidance, and review at every step of the process.
Making it easier for your employees to do their jobs successfully while creating an ever-present culture of compliance will require organizations to adopt a risk-based approach to data protection. While that often starts with the legal and compliance team and ends with the CISO, in fact it needs to focus also on a day in the life of your everyday business user.