Globally, data breaches have become mainstream security incidents, leading to the rise of the EU’s General Data Protection Regulation (GDPR).
It is a must for privacy to be the top of mind from the outset of any plan or project
involving data. Enterprises should begin embracing the framework of privacy by design, and incorporate privacy principles such as GDPR compliance as early as during the design phase of all technologies, processes and systems.
To do so, companies must:
- Take note of GDPR’s data privacy measures data minimization and pseudonymization.
- Categorize and map the data they are collecting.
- Embed privacy controls at each layer of the infrastructure, down to applications used.
Securing Data Through GDPR’s Privacy by Design
April 16, 2018
The state of enterprise data security
The growing number of high-profile privacy incidents, along with the fallout from such attacks, has pushed enterprises to increase their spending on cybersecurity solutions. According to Gartner, worldwide cybersecurity spending will reach $96 billion this year, and more than 60 percent of organizations will invest in multiple data security solutions by 2020. Survey respondents shared that the main driving force behind these spending decisions is the risk of data breaches.
But deploying state-of-the-art security is only one facet of an effective and comprehensive data protection plan. Another important part is changing the actual approach to implementing privacy. Instead of being an additional feature, privacy must be top of mind from the outset of any plan or project involving personal data. Enterprises should incorporate privacy principles as early as the design phase of all technologies, processes, and systems — a proactive rather than reactive approach to risk.
How can businesses do better?
Organizations need to embrace the framework of privacy by design, wherein privacy and data protection concerns are anticipated and addressed from the start. Regulators worldwide have already recognized the merits of this approach, as demonstrated in recent regulations like the GDPR. Complying with regulations is a step in the right direction. Not only is GDPR compliance a must for those dealing with EU citizens’ data, but adhering to the rules also sets a good standard for any organization collecting and processing personal data. Enterprises that want to integrate privacy fully into their infrastructure should also take note of important data privacy principles promoted by the GDPR: data minimization and pseudonymization.
Data privacy starts with clearly defining two things: the types of personal data to be collected, and the purpose for the data. Some organizations are collecting more data than they really need, and using it for purposes not clearly outlined for the user. One way to avoid this situation is through data minimization — collecting only what is needed from customers, using the data for only the purposes agreed to by the user, and adhering to appropriate data retention policies or deleting data once the purpose has been served.
Pseudonymizing data, on the other hand, makes personal data incapable of directly identifying an individual. The only way it can be linked to a unique individual is by combining it with other pieces of data stored and protected separately. This means that organizations can still process personal data and continue providing services to customers, while protecting their right to privacy.
Both principles can be implemented as data privacy measures as well as guide decisions throughout the design life cycle.
Committing to privacy by design
To fully employ the idea of privacy by design, enterprises should first categorize the data they are collecting and map its flow. This will help build context in order to design the specific security solutions that need to be set up within the organization. After understanding their data, enterprises should embed privacy controls at each layer of the infrastructure, down to applications used.
Here are some design guidelines to keep organizational and customer data secure:
- Enterprises should enforce strict authentication and authorization mechanisms on devices and applications to verify who can access data. Flaws in these areas are commonly exploited by hackers to steal data, or even access app functionality (in order to bypass PIN codes, inject malicious code, and other attacks).Enterprises should also impose strict access policies. For example, setting up remote access through virtual private network (VPN), putting up firewalls, and ensuring that any libraries or databases connected to apps are secure.
- The enterprise development or DevOps teams should build layered privacy into their applications. Teams should strengthen encryption and secure an app’s network connections. Some apps can also benefit from application containerization, where apps are deployed in a contained environment, like virtual machines.
- Privacy should also be integrated into the cloud infrastructure. According to a 2017 survey by LogicMonitor, 83 percent of enterprise workloads will be in the cloud by 2020. This presents a good opportunity for enterprises to create and implement new privacy policies as they move to the cloud. Properly configuring servers would be the first step since many data breaches have stemmed from misconfigured servers. Limiting accessibility and installing proper solutions are also important. Enterprises should have a cross-generational blend of threat defense techniques that can used to protect their cloud services. Layered security should protect against network and application threats, detect malicious activity, and also secure connected systems.
- Enterprises should also evaluate potential privacy risks to customers by carrying out Privacy Impact Assessments (PIAs) on their data processing and collection. Evaluating the possible risks will help enterprises craft and design a proportional security response before any incident occurs.
New projects, like cloud transformation initiatives, give enterprises the opportunity to build privacy, security, and automation into their systems with the right tools. But everyone within the enterprise — from the DevOps teams that build applications to the marketing teams that use the applications — should be aware and committed to privacy by design. It’s crucial that organizations invest in education and awareness programs for employees. The more informed employees are about the importance of privacy, the easier it will be for them to integrate it into their work.
Of course, when implementing new data privacy and protection policies, every organization should expect an initial adjustment period. Devices will have to be upgraded, new software installed, and security processes adopted — all important and necessary steps. Not only do most enterprises require these improvements to be compliant with the GDPR, but they also need these to stay ahead of the curve and give users the privacy and security that they expect and need.
Learn how Trend Micro can help you on your journey to better data security and GDPR compliance. Find out how you can take action and make sure your endpoints, networks, and cloud environments are protected and secured.