Securing Data Through GDPR’s Privacy by Design
Data breaches have become mainstream security incidents, and each new breach seems to be more serious than the last. The magnitude of recent breaches has made data protection a much-discussed topic in the legislative sphere in recent years, sparking strict regulations like the EU’s General Data Protection Regulation (GDPR) and various others around the world — including the U.K., U.S., Australia, and China.
Details about these incidents are showing people the many different ways their personal information can be used or abused — for profiling, targeted marketing, outright identity theft, and much more. And they are growing more concerned about how companies collect and protect their personal data. Just this past year we’ve seen how companies can be careless with their data storage, lack proper and updated security, and play fast and loose with accessibility so that data is used inappropriately by third parties. This shows that, while most enterprises have developed and advanced their data collection and data use policies, security was not built into their operations.
The state of enterprise data security
The growing number of high-profile privacy incidents, along with the fallout from such attacks, has pushed enterprises to increase their spending on cybersecurity solutions. According to Gartner, worldwide cybersecurity spending will reach $96 billion this year, and more than 60 percent of organizations will invest in multiple data security solutions by 2020. Survey respondents shared that the main driving force behind these spending decisions is the risk of data breaches.
But deploying state-of-the-art security is only one facet of an effective and comprehensive data protection plan. Another important part is changing the actual approach to implementing privacy. Instead of being an additional feature, privacy must be top of mind from the outset of any plan or project involving personal data. Enterprises should incorporate privacy principles as early as the design phase of all technologies, processes, and systems — a proactive rather than reactive approach to risk.
How can businesses do better?
Organizations need to embrace the framework of privacy by design, wherein privacy and data protection concerns are anticipated and addressed from the start. Regulators worldwide have already recognized the merits of this approach, as demonstrated in recent regulations like the GDPR. Complying with regulations is a step in the right direction. Not only is GDPR compliance a must for those dealing with EU citizens’ data, but adhering to the rules also sets a good standard for any organization collecting and processing personal data. Enterprises that want to integrate privacy fully into their infrastructure should also take note of important data privacy principles promoted by the GDPR: data minimization and pseudonymization.
Data privacy starts with clearly defining two things: the types of personal data to be collected, and the purpose for the data. Some organizations are collecting more data than they really need, and using it for purposes not clearly outlined for the user. One way to avoid this situation is through data minimization — collecting only what is needed from customers, using the data for only the purposes agreed to by the user, and adhering to appropriate data retention policies or deleting data once the purpose has been served.
Pseudonymizing data, on the other hand, makes personal data incapable of directly identifying an individual. The only way it can be linked to a unique individual is by combining it with other pieces of data stored and protected separately. This means that organizations can still process personal data and continue providing services to customers, while protecting their right to privacy.
Both principles can be implemented as data privacy measures as well as guide decisions throughout the design life cycle.
Committing to privacy by design
To fully employ the idea of privacy by design, enterprises should first categorize the data they are collecting and map its flow. This will help build context in order to design the specific security solutions that need to be set up within the organization. After understanding their data, enterprises should embed privacy controls at each layer of the infrastructure, down to applications used.
Here are some design guidelines to keep organizational and customer data secure:
- Enterprises should enforce strict authentication and authorization mechanisms on devices and applications to verify who can access data. Flaws in these areas are commonly exploited by hackers to steal data, or even access app functionality (in order to bypass PIN codes, inject malicious code, and other attacks).Enterprises should also impose strict access policies. For example, setting up remote access through virtual private network (VPN), putting up firewalls, and ensuring that any libraries or databases connected to apps are secure.
- The enterprise development or DevOps teams should build layered privacy into their applications. Teams should strengthen encryption and secure an app’s network connections. Some apps can also benefit from application containerization, where apps are deployed in a contained environment, like virtual machines.
- Privacy should also be integrated into the cloud infrastructure. According to a 2017 survey by LogicMonitor, 83 percent of enterprise workloads will be in the cloud by 2020. This presents a good opportunity for enterprises to create and implement new privacy policies as they move to the cloud. Properly configuring servers would be the first step since many data breaches have stemmed from misconfigured servers. Limiting accessibility and installing proper solutions are also important. Enterprises should have a cross-generational blend of threat defense techniques that can used to protect their cloud services. Layered security should protect against network and application threats, detect malicious activity, and also secure connected systems.
- Enterprises should also evaluate potential privacy risks to customers by carrying out Privacy Impact Assessments (PIAs) on their data processing and collection. Evaluating the possible risks will help enterprises craft and design a proportional security response before any incident occurs.
New projects, like cloud transformation initiatives, give enterprises the opportunity to build privacy, security, and automation into their systems with the right tools. But everyone within the enterprise — from the DevOps teams that build applications to the marketing teams that use the applications — should be aware and committed to privacy by design. It’s crucial that organizations invest in education and awareness programs for employees. The more informed employees are about the importance of privacy, the easier it will be for them to integrate it into their work.
Of course, when implementing new data privacy and protection policies, every organization should expect an initial adjustment period. Devices will have to be upgraded, new software installed, and security processes adopted — all important and necessary steps. Not only do most enterprises require these improvements to be compliant with the GDPR, but they also need these to stay ahead of the curve and give users the privacy and security that they expect and need.
Learn how Trend Micro can help you on your journey to better data security and GDPR compliance. Find out how you can take action and make sure your endpoints, networks, and cloud environments are protected and secured.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.