Friday, April 8th, 2022
Data Privacy by Design – Principles
IBM’s recent Data Breach Report found that the average total cost of data breaches rose to $4.24 million in 2021 – the highest average total cost IBM has recorded to date. The healthcare industry continues to have the biggest cost of a data breach for the past eleven consecutive years, with data breach costs increasing by 29.5% from 2020 and reaching $9.23 million in 2021. The rising incidents and costs of data breaches put the spotlight on the importance of ‘Data Privacy by Design’.
Although the term, ‘Data Privacy by Design’ was first developed by Ann Cavoukian in the 1990s, it remains even more relevant now than ever. The then-Information and Privacy Commissioner of Ontario used this term to describe how privacy must be an integral component and interwoven with an organisation’s processes, procedures, and policies. Data privacy laws such as the EU General Data Protection Regulation (GDPR) or recently agreed “in principle” Trans-Atlantic Data Privacy Framework, underlines the importance of considering some of the following foundational key principles of Privacy by Design.
“Visibility and Transparency”
Privacy standards must be open, visible and accountable. This means the following aspects within the organisation must be clearly defined and communicated:
- how personal information is collected;
- the purpose of collecting and processing the data;
- how it is securely stored;
- who has access to the data; and
- how long the data will be retained.
“Proactive, not Reactive”
Privacy risks and possible privacy breaches should be anticipated. Rather than a remedial approach, privacy weaknesses should be identified and preventative measures are put in place. Data retention periods per data privacy laws should be followed and reviewed on a regular basis. There should be a defined procedure to identify, report and investigate possible data breaches. This procedure should be communicated to all employees, and refresher training is conducted on a regular basis. This training can be an interactive and discussion-based session where everyone can raise any questions they may have. A proactive and communicative approach can further contribute to the creation of a positive security culture within the organisation.
“Data Privacy as the Default Setting”
Company processes and systems should by default automatically protect a user’s privacy rights. For instance, profile creation on a website should be configured to the highest setting of privacy by default and only collect the minimum amount of data required. This demonstrates an organisation’s commitment to protecting its user’s data.
The EU General Data Protection Regulation requires Data Protection Impact Assessments (DPIAs) to be carried out for any high-risk data processing activities. However, DPIAs could also be used to assess how the organisation’s data processing affects their user’s data privacy or data rights. A DPIA can identify the information flow, and possible privacy risks and ensures that potential ways to reduce the privacy risks are evaluated. In doing this assessment, the organisation should be able to conclude whether the type and amount of data being collected/processed are required, as the more sensitive data held within the organisation, the greater the risks.
Before organisations can implement Privacy by Design, they must understand what data is being collected, processed and stored within the organisation’s systems and network. A Data Discovery Phase can be first carried out to help identify all the data points within the organisation. After all, in order to protect your data, you need to know what needs to be protected.
It is important to remember that privacy by design is not a static process. It must be continuously reviewed and adopted as the organisation changes and grows.
Author: Mae Patlong, Information Security Consultant, Smarttech247