Until recently, the protection and security of personal information kept a relatively low profile. Most countries, regions and states have data protection legislation, but the level of protection provided varies. Exposure of personal information or data breaches were relatively rare, and state surveillance of such information was generally covert and unacknowledged.
In the last few years, the amount of personal data stored by companies and governments has soared. The value of that data has multiplied as more and more personal business is transacted on the Internet. Identity theft has become a major crime. In addition to the disruption to business and the impact on customer loyalty that data breaches create, many jurisdictions are looking to bring their data protection legislation into line with the new, Internet-based world – although unfortunately, not in line with each other.
The General Data Protection Regulation (GDPR), a new set of European rules and standards related to privacy and data protection has set in motion a mad compliance scramble not just for European companies, but for any company doing business in Europe or with European customers.
Moving forward, organizations will benefit from understanding the concept of Privacy by Design which seeks to embed privacy principles within privacy best practices, systems and software. Privacy by Design encompasses seven foundational principles for embedding privacy within systems and software.
One of the key foundational tenets of Privacy by Design is that privacy rights ought to be protected and enforced by default in order to proactively mitigate privacy risks. From a software and process design perspective it means that Privacy by Design should encompass:
- Data Minimization: to restrict collection to the minimum amount of personally identifiable information required for processing;
- Data Classification: to ensure that personally identifiable information is tagged and assigned the appropriate level of protection from exposure;
- Data Pseudonymization and Encryption: to ensure the ongoing confidentiality, integrity, availability and resilience of personal data and data systems, and to preserve privacy through the processing of personal data in ways that can no longer be attributed to a specific data subject;
- Data Aggregation: to provide for tools to aggregate personally identifiable information to the highest level;
- Auditing and Control: to provide data subjects with agency over their personal information and which empowers data processors to demonstrate compliance and;
- Intuitive User Interface Design: to enable users to easily understand privacy notices, to provide affirmative consent (since under GDPR implied consent is no longer permissible) and to withdraw consent by providing intuitive access to privacy settings including easy to understand privacy icons.
Are you ready for May 2018?