The General Data Protection Regulation (GDPR) will introduce the principles of security-by-design (SbD) and privacy-by-design (PbD) as requirements that data controllers and data processors must comply with after the GDPR becomes applicable.
According to recital Nr 78 of the GDPR “the protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.”
What is Privacy by design?
The concept of Privacy by Design originates from the Information and Privacy Commissioner of Ontario.
The Commissioner defined several engineering practices in its publication “Privacy Engineering: Proactively Embedding Privacy, by Design” (Issued in January, 2014). These include non-technical and technical considerations. Privacy engineering is the discipline of understanding how to include privacy as a non-functional requirement in systems engineering. Beside Privacy by Policy, Privacy by Architecture focus on technical solutions that utilise measures, such as data minimization, anonymization, decentralization and reliance on privacy-enhancing technologies (PETs).
According to Privacy Commissioner of Ontario privacy by design consists of seven principles:
“1. Proactive not Reactive: The PbD approach attempts to anticipate and prevent privacy-invasive events before they happen.
2. Privacy as the Default Setting: Ensure that personal data is automatically protected in any given IT system or business practice, so that if an individual does nothing, their privacy still remains intact.
3. Privacy Embedded into Design: Privacy should be embedded into the design and architecture of IT systems and business practices.
4. Full Functionality – Positive-Sum, not Zero-Sum: PbD seeks to accommodate all legitimate interests and objectives in a “win-win” manner, balancing seemly opposing interests, such as security and privacy.
5. End-to-End Security – Full Lifecycle Protection: PbD extends throughout the entire lifecycle of the data involved, from start to finish.
6. Visibility and Transparency: It seeks to assure all stakeholders that component parts and operations remain visible and transparent, to users and providers alike.
7. Respect for User Privacy – Keep it User-Centric: Above all, it puts the interests of the individual by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options.”
How to address PbD requirements?
To ensure PbD requirements policy like controls (e.g. consent notification forms, internal Data Privacy policies) the following technical controls are recommended by the IPC to be considered when designing IT systems and softwares.
1. Data Minimization – restrict the collection and processing of unnecessary data by technical means, e.g. limiting data inputs by using pre-defined lists. The thorough analysis of the purpose of data collestion and processing is required to determine the necessity of the respective data sets.
2. Anonymization – the essence of the control is to strip away the connection between the data and the data subject and produce a consistent set of data that still can be used in IT systems to support business processes.
3. Decentralization – the idea behind decentralization is to involve clients and data subjects into the processing of data to provide them more control over the activity. It is to be noted that the ICP emphasize that “there could be a trade-off in security depending on the nature of the processing platforms”.
4. Privacy-enchancing Technologies (PETs) – PETs are considered to be technologies that sole purpose is to enchance privacy, e.g. multi-tenancy separation in cloud platforms. Privacy supporting technologies focus on other aspects of information security and enchance integrity or availability as well, like regular storage back-ups, Role Based Authentication Controls (RBAC).
The European Union Agency for Network and Information Security (ENISA) issued a report on “Privacy and Data Protection by Design – from policy to engineering” in December, 2014. In its report, the ENISA observed that privacy and data protection features are, on the whole, ignored by traditional engineering approaches when implementing the desired functionality.
According to ENISA’s report the following privacy techniques should be considered:
2. Attribute Based Credentials
3. Secure private communications
4. Communications anonymity and pseudonymity
5. Privacy in databases
6. Technologies for respondent privacy: statistical disclosure control
7. Technologies for owner privacy: privacy-preserving data mining
8. Technologies for user privacy: private information retrieval
9. Storage privacy
10. Privacy-preserving computations
11. Transparency-enhancing techniques
12. Intervenability-enhancing techniques
Privacy by design address certain engineering principles to enhance the level of privacy of systems and software although it is not a single measure that organizations could solely rely on to ensure compliance with applicable regulation. With the adoption of the GDPR the EU took a step forward promoting PbD and SbD requirements although their implementation requires a cultular shift in current IT system design and software engineering patterns. TO identify exact privacy needs to implement PbD cooperation and coordination between the business and the IT development side of an organization require more mature processes, while the case law basis still needs to be developed by EU supervisory authorities.