GDPR demands that organisations look closely at the technology they use to store, manage and process data. There is no excuse for shoddy, unsafe technology. Instead, technology should be innovative and fit to stand any security breaches or compromises. It makes perfect sense to ensure that your systems can withstand cyber-attacks and data breaches, empowering organisations to build better relationships with customers, stakeholders, and regulators.
Often intertwined, the two principles of privacy-enhanced technology; privacy by design policy is the protection of data using tools such as pseudonymisation and encryption, while privacy by default is automatic privacy-friendly settings from the outset. Ultimately, both should form the forward-thinking systems and devices of an organisation.
The original concept of “Privacy by Design Policy.”
Privacy by design policy encompassed the findings of Ann Cavoukian during the 90s when she espoused the principle of organisations becoming proactive when implementing data protection, incorporating from the ground up. She championed the prioritising of privacy into the design and development of systems as part of the project planning phase.
Privacy by design policy, transparency and openness are not new buzzwords created from the GDPR, Cavoukian has championed these responsibilities even before her long-standing term as Information, and Privacy Commissioner of Ontario and her recommendations formed the basis of privacy by design as implemented in the GDPR. The GDPR has spurred the adoption of innovative, secure processes, firstly due to the harsh financial penalties for not doing so, but also to protect the lifeblood of businesses, i.e. the data.
With the recent influx of data breaches reported in the media, with security lapses and incidences reported daily, the genuine threat of
- ransom malware attacks,
- malicious phishing attempts,
- infected apps and
- compromised devices.
It makes sound sense to future-proof technology.
Educating the user is also important, with a language they can understand. For example, the average online consumer is not aware of what happens with their data when they visit a website and decline to manage cookies merely giving away consent at a tick of a box. GDPR has put an end to those days, and the concept of tick box consent. Again spurred by Cavoukian’s, “respect for the individual” along with the notion of giving power to the user, as laid down in the ISO 13407.
Achieving privacy by design will grant confidence to users that their data is cherished and secure. This will go with easy to use explanations and options for the privacy journey. Not only customers but third-party suppliers, employees, stakeholders, in fact, anyone who handles data on your behalf or data that you process on them, they will have the confidence to use your services giving you that edge over competitors.
Keys steps to achieve GDPR compliance
Let us examine some examples of how an organisation can embrace privacy by default and design and ensure GDPR compliance.
- Advanced access management controls, these are a step up from the traditional access management controls and technologies such as single sign-on authentications or the reusing of weak and unsecured passwords.
- Advanced solutions ensure access to only limited or necessary data, with robust methods of authentication such as biometrics, multifactor authentication. They are allowing for interoperability across systems and organisations, with trust-based access.
- Consider Risk-Based Awareness and Alternative Authentication Methods. An excellent example of risk-based awareness – being abroad and going online to check your bank account.
You appreciate the extra security checks that your bank puts in place due to the unusual IP address. Risk-based awareness methods are especially useful for unusual user detection and the creating of new accounts.
- Extra protective measures in place such as antivirus software and robust firewalls, pen testing and continually updated security.
Enhanced protection incorporated when processing sensitive data such as names, addresses, and account numbers. Consumers will prioritise security over convenience especially where finances are involved.
- Built-in customer awareness is crucial if you wish to continue collecting and sharing their data. Customers must know what happens to their data. It facilitates their overall experience and warms them to the idea of an improved experience.
Customers want to know the benefits and values of providing their data. They will trust websites that include simple AI tools to allow them to manage privacy preferences. GDPR Art 15 already recommends this, via “on-demand access”. It allows for a review of consent, permissions, and the ability to download data in a simple format.
- Giving value to the customer, building that trust and embracing privacy by design will find favour with regulators and customers alike.
Following these steps and taking expert technical advice is a further step towards full compliance giving organizations peace of mind.