GDPR: Privacy by design

Privacy by design, which facilitates the protection of data through technology design, is a vital area that GDPR attempts to improve in the field of data security. It is crucial for organizations to perform security controls, such as penetration testing, because of the regular reports that GDPR now requires and because of the heavy fines that the European Union can now impose for mishandling consumers’ personal data. Privacy by design eases the impact of implementing the GDPR requirements because data processors will have already integrated data processing procedures into the technology. Privacy by design uses compliance through risk assessments prior to making decisions about data security. Risk assessments can be performed through a wide array of methods, yet they all require the same periodic and thorough approach; they should be performed often and proactively. Being proactive is being responsible with the valuable data your organization possesses. Critical cyber infrastructures can never be completely secured from hackers, but your organization can greatly mitigate cyber threats by being in control of the situation, rather than responding to an ongoing crisis.

Because of GDPR, companies must now have procedures in place from the very beginning of process development that comply with GDPR. They must now analyze risk much more actively than previously required, realizing the implications of their data-processing procedures. In order to simplify the planning and implementation of privacy by design, a seven-step process has been developed.

These steps are:

  • Be proactive, not reactive;
  • Privacy should be the default setting;
  • Privacy should be embedded into the design;
  • Full functionality: positive-sum, not zero-sum;
  • End-to-end security;
  • Visibility and transparency;
  • Respect for user privacy.

Some of the above steps are self-explanatory, and others require some explanation. Step three warrants that processors use careful planning by implementing security measures that will be able to adequately handle certain levels of risk while limiting the negative impact on the rights and freedoms of data subjects. End-to-end security is a blanket term that emphasizes the holistic approach organizations should take. They must constantly be checking and updating their security systems through testing because as step one admonishes, organizations must be proactive, taking preventive measures in addition to reactive ones.

Penetration testing is the simulated attack and scanning of computer systems that identifies vulnerabilities so that they can be corrected before a real attack occurs. Penetration testing should be conducted, at the bare minimum, once a year. Preferably, they should be conducted many times a month. Security controls, ranging from preventive to compensatory, should be regularly checked. There are multiple facets to penetration testing, such as vulnerability scanning, which can be performed automatically. Vulnerability scanning checks to ensure that systems are up-to-date and that security software has been updated. Internal infrastructure and all other critical infrastructures should also be constantly monitored and tested for vulnerabilities. Systems such as firewalls and web filtering should be tested for susceptibility to viruses. The end-to-end life cycles of data should also be examined in order to reduce security risks. GDPR recommends using encryption and pseudonymisation when implementing privacy-by-design, but it is up to organizations themselves to determine which measures they should take. Step two should not be overlooked. Data controllers must use appropriate measures both on a technical and an organizational level to ensure that personal data is used only for its specified purpose. Data collectors must do their utmost to minimize the amount of data collected along with the amount of time that the data is stored. In addition, all settings should be set to the most privacy-friendly level, so that users have to consciously change the setting to a less privacy-friendly setting.

Testing your organization’s security systems is just one step in a larger process. Organizations must also practice due diligence when it comes to employee awareness. Your staff may be the last line of defense against a cyber attack, so they should be prepared to handle any security threat. Phishing resilience will help to ensure preparedness. Using programs such as Integrity’s ActiveThreat assesses employee behavior in order to better train your organization. Simulated phishing attacks through phony emails and messages will allow your organization to gauge how susceptible it is to security threats. Employees must have training in areas such as phishing in order to limit susceptibility to fraud.
Integrity is here to offer your organizations help in the fields of penetration testing, phishing resilience, risk management, and GDPR implementation.