Use Privacy By Design for Products and Services
xMatters is running a four-part blog series as a compliance checklist for the European Union (EU) – General Data Protection Regulation (GDPR). Part 1 was about a Data Protection Officer, part 2 was about Data Protection Impact Assessments, and part 3 was about privacy policies and procedures.
Part 4: To achieve consistent protection of personal data within your organization and without, you must have privacy by design programs and services in place. That kind of consistent excellence requires contributions from throughout the company and a commitment from people in all levels, from customer service representatives to chief executive officers.
One of the core tenets of the GDPR is the need to build a culture of data privacy protection. In some areas of life and business, you can and maybe should learn from your mistakes. GDPR compliance is not one of those things.
In fact, learning from your mistakes could put your customers, your business, and other individuals and businesses at risk of compromised data, breach, and hefty fines. It is important to aim for getting it right the first time. This is why the act includes a DPO and why it calls for privacy by design.
Writing privacy and security into the code and into the infrastructure is the best way to ensure effective privacy controls. Relying on firewalls and antivirus protectors is like locking your jewelry box but leaving your front door open.
1. Design, develop, and deploy your products and services based on your privacy procedures
In sports, they say you play like you practice. Well, in the privacy business, you protect like you prepare. Preparation and practice go a long way in regard to privacy and security.
Your privacy procedures are the blueprint for how you conduct real business; so first and foremost, be careful and draft effective procedures. Second, revisit your procedures periodically and make adjustments as necessary.
2. Use your privacy program to drive your Information Security program
Privacy is the result of the actions you take. Locking yourself in your room doesn’t produce privacy unless you get everyone out of the room first. More importantly, your organization’s privacy program produces protection for your organization and customers only if it drives your information security, where the work is done.
How does your privacy program drive your information security program? It needs the muscle of your information security and cybersecurity program. So your Data Protection Officer has to work with engineering and operations teams to ensure a robust infrastructure than can support security measures to protect your system and privacy measures to protect personal information.
3. Conduct privacy awareness and training employees
We’re back to culture. Ensure that you have clear policies in place to prove that you meet the required standards. Establish a culture of monitoring, reviewing, and assessing your data processing procedures, aiming to minimize data processing and retention of data, and building in safeguards. Check that your staff are trained to understand their obligations. Auditable privacy impact assessments will also need to be conducted to review any risky processing activities and steps taken to address specific concerns.
It’s more than just proper code and storage of personal data in databases. Every few years, there’s a new case in which someone leaves a briefcase, a phone, a laptop, or a disc with sensitive data in a public place. It’s important to educate employees on how important it is to not do that.
4. Conduct privacy and security assessments to create a continuous improvement cycle
First, verify that your privacy program is as effective as you think it is. You can’t try to improve it if you don’t know how good it is. To put it another way, you can’t improve what you can’t measure.
Once you have established a baseline, you can implement a program to continually improve it. Besides the Data Protection Officer, consult engineering team members who can ensure your privacy efforts aren’t falling behind technologically, legal counsel to understand the organization’s legal obligations, and executives to ensure privacy adjustments are supporting corporate strategy.
4 Ways to Improve Your DevOps Testing
You already know the longer it takes to detect a problem, the more expensive it is to resolve. Your testing needs to happen earlier in the development pipeline while taking into account all aspects of privacy, security and monitoring.
Read the 4-part DevOps testing eBook to learn how to detect problems earlier in your DevOps testing processes.