Published on 03 May 2018
See if your knowledge of Data Protection by Design is up to speed.
Data Protection by Design means having technical and organizational measures in place at the earliest stages of design. This would be the stage when your business is designing the processes for its operations. Data Protection by Design is being thoughtful about data protection from the very beginning and having it be part of, not just an addition to the design.
Data Protection by Default is a little more specific than Data Protection by Design. By Default deals more with the collection of personal data. Here the word “default” is seen to mean your mechanisms that deal with personal data must be set to the highest privacy settings by default. Opting out is not the default any longer. The GDPR regulation requires a very visible opt-in for all aspects of personal data collection. Therefore, businesses should implement strategies that fall under Data Protection by Default when considering how much data they will be collecting and how long it will be stored.
Collecting less personal data can help with overall data protection. Having less personal data on an individual means there is less chance of that data being meaningful to someone else if they were to stumble across it. If there is a breach, the more data available, the easier it is for identity theft to occur. When a business collects only the personal data needed for a customer account or transaction, they are thinking about data protection.
Less data collected = Less possible damage
Who does own the data businesses collect? Well, personal data is owned by the individual whose data it is. If I own my personal data, then I am the one who gives permission for another entity to store or use it. With GDPR, personal data includes name, address, physical location data, phone number, age, gender, and any other personally-identifying information. Even IP address is considered personal data. Having this type of data belonging to an EU citizen requires GDPR compliance.
Under Article 25 and Recital 78 of the EU GDPR, the following are ways to provide Data Protection.
Pseudonymizing personal data. Pseudonymization is when personally identifiable information is replaced with artificial identifiers. Imagine your name no longer showing, but a unique number instead. Using artificial identifiers keeps data privacy as the focus, yet still allows a business to analyze accounts and improve their services.
Encryption is also a must for data protection. Encryption translates data into another form so only people with access can translate the code.
How do you intend to use personal data? If you need a person’s phone number so you can call them back, state the reason and let them know why you will be calling. Do you really need to know someone’s birthday just so they can purchase a product from your website? If you do have a valid reason to collect birthdays, let the person know that reason and let them consent to give you that bit of personal data.
All sites should periodically (and frequently would be better) test and review their online security. This includes technical security measures as well as organizational policies and practices.
Finally a few data protection items we have already touched on. Minimize the data you have stored and only collect the personal data you need for the online transaction. Have the highest privacy settings as the default for all accounts.
The rules of the GDPR affect any organization that comes into contact with the personal data of any EU citizen. If this includes you, start making it a priority today. Data Protection by Design means fewer changes that will need to be retrofitted tomorrow. Collecting less data means a smaller attack surface and less liability for you. Data Protection by Default ensures that the customers who sign up for your services are aware of what data they are trusting to your care.
If you missed a few of the answers, don’t worry. While there are blog posts, news articles and tons of information available about data protection, it can be a lot to digest. The EU GDPR is over 200 pages!
From file transfers with FTP service providers like ExaVault to online purchases from your favorite retailer. Just remember that data protection should be part of every design and every organizational process.
Bonus Question: Under GDPR how long does a business have to notify the public of a breach?
Answer: In the event of a breach, you have 72 hours to notify the public. See Article 33 of the GDPR.