Comprehensive software reviews to make better IT decisions
Avoid the PIA Trap, Integrate PbD Early in Your AppDev Process
Traditionally known as privacy by design (PbD), data protection by design principles are now required under Article 25 of the European Union's General Data Protection Regulation (GDPR).Building privacy controls based on data protection by design into your application development practices can ensure you get positive-sum results, allowing your applications to satisfy many GDPR requirements “by design.”
GDPR Preparations in Full Force
Your organization has likely been running full speed ahead with preparations for the GDPR. A privacy officer or data protection officer is overseeing continued GDPR compliance efforts, focusing heavily on data inventory and mapping, making changes to incident handling and breach notifications, performing data protection impact assessments (DPIA) on high-risk activities, and spreading awareness that the world as we know ended on May 25, 2018 (just kidding… sort of).
Various internal groups are frantically documenting personal data processing activities, making changes to systems to comply with consent and notice requirements, and dreading the weekly legal discussion around lawful basis of processing and whether adequate security measures are in place.
With the frantic push for compliance past GDPR D-Day, organizations are doing what they can to expedite the building or enhancing of a data privacy program. After all, a survey indicates that 55% of organizations in EMEA had either a non-dedicated privacy function or no privacy function at all. The US is not faring any better, with only 44% of US corporate directors having confidence in the comprehensiveness of their company’s data security and privacy program. So with all the focus on data inventory and mapping, DPIAs, and breach notifications, data protection by design may not be at the top of your list.
Better Now Than Later
Moreover, it is important to note that the European Commission Article 29 Working Party’s (Art. 29 WP, now operating as the European Data Protection Board [EDPB] after the GDPR came into effect on May 25, 2018) guidance on the setting of administrative fines specifically calls for principles of data protection by design and by default as key assessment criteria, even ahead of appropriate level of security and relevance of data protection policies.
Combining this data protection by design criteria with the typical application development lifecycle and lengthy privacy impact assessment (PIA) processes could mean months before data protection by design makes it into your application, increasing your application’s exposure to non-compliance under the GDPR. In addition, traditional PIAs are also long and unwieldly; they point out remedial measures as bolt-on quick fixes to address privacy concerns. The result is an application with a patchwork of fixes, potentially reduced capabilities, and an overextended development timeline, resulting in a zero-sum situation.
By taking data protection by design head on, and embracing data protection by default, applications satisfy privacy requirements up-front. Organizations that adopted secure software development lifecycles (SDLC) are familiar with the benefits of integrating security considerations early in their processes. Data protection by design principles can be integrated in similar and innovative ways, addressing many of the GDPR’s privacy requirements upfront.
Part of Your SDLC
Now that you are convinced adopting data protection by design early in your application development cycles can reduce the impact of integrating privacy controls, where should you begin?Depending on your application development model (waterfall or agile), data protection by design steps would either be structured or cyclical. Add privacy assessments at each relevant phase for waterfall development processes, while teams developing under agile methodologies will need upfront training and support to ensure data protection by design is considered throughout the ad-hoc and continuous development efforts.
It is important to note that data protection by design principles should be provided upfront to your developers (designers, coders, testers, release managers, etc.) in the form of training and playbooks, so that any privacy assessments are used as quality assurance for privacy controls rather than gap analysis. Your designers will appreciate building consent checkboxes into their wireframes before starting their designs, your coders would want to consider data minimization when designing their databases, and your testers should integrate privacy checks in their testing methodologies.
- Understand your organization’s GDPR position. Are you building an application used by your organization as a data controller? Is your application a go-to-market solution for a client who is a data controller? Is your application an off-the-shelf product for a solutions provider to use as a data processor? All of these have diverse effects on how data protection by design applies to an application’s design.
- Train your developers and build a data protection by design playbook. Ensure your developers understand the core principles of data protection by design, including what it means to build in data protection by default.Supplement your existing processes with a data protection by design playbook that provides concise and practical guidance to your development teams.
- Formalize a privacy assessment process. Engage your legal or privacy teams as part of your privacy assessment processes. See them as resources that can validate your development team’s data protection by design efforts, and enablers for your application’s GDPR compliance.
With such diverse types of applications and systems, there is no one-size-fits-all methodology for data protection by design in any development process. Your approach to data protection by design principles also depends on the GDPR’s application to your organization.
Understanding your application’s GDPR exposure, providing your development teams with tools to support data protection by design, and adding privacy assessment checkpoints within your SDLC will significantly reduce the impact new privacy regulations will have on your application delivery timeline and help expedite your application’s GDPR compliance.
Want to Know More?
TrustArc is partnering with BigID to add protection of sensitive data to its roster of data privacy and compliance capabilities. The move closely follows a partnership announced by two other major players in the data privacy and governance space, OneTrust and Integris.
An acquisition borne out of its users’ primary needs, OneTrust’s recent integration with data discovery giant Integris optimally positions the privacy program management software vendor against competitors in the market.
Data intelligence software vendor Alation has made the move to emphasize data governance amongst its solution offerings to make the data catalog a dynamic platform for “a broad range of data intelligence solutions.”
The industry’s first self-service privacy software solution Ethyca receives its second round of investor funding, aptly timed with the release of Ethyca Pro. The privacy management solution provides full automation capabilities for data mapping, data subject requests (DSRs), and consent management for various international privacy regulations.
To further capabilities in the data privacy space, top-tier vendor OneTrust has acquired Integris, another leading vendor within the data discovery and classification sphere. This is a two-part note that focuses on the acquisition and anticipated synergies between the two companies.
SECURITI.ai Addresses the Privacy vs. AI Debacle With the Industry’s First AI-Powered Privacy Solution
AI-powered privacy is here to stay, driven by the innovative team at SECURITI.ai. The company injects automation through AI with its PrivacyOps solution, PRIVACI, taking the effort out of mapping out personal data within its various repositories.
The privacy management software space is rapidly becoming crowded with vendors all looking to add value. 2B Advice has released the most recent version (7.0) of its software, emphasizing the support tools needed to build a privacy-aware culture.
Proteus-Cyber, a leading vendor within the privacy program management space, has added two standout features to its current privacy software offering. The Threat Intelligence feature tracks and links directly to CVEs discovered daily and can be integrated within the IT asset register of current Proteus-Cyber NextGen Data Privacy users.
In response to criticism over data collection practices, Google is introducing default deletion of location history in its web and application activities for new accounts.