The principle of Privacy by Design introduced by General Data Protection Regulation (GDPR) requires firms and public administrations to adopt a proactive and not merely reactive approach to personal data protection, rendering necessary to provide operative procedures, configurations and safety measures safeguarding confidentiality, integrity and availability of personal data (RID) “by default”, meaning in the moment they “enter” the organization.
This principle, in its enunciation, appears obvious and simple, but as soon as a closer look is given, it immediately emerges that its enforcement has uncommon organizational, procedural and technological implications.
An example that may be helpful understanding the complexity of this principle is concerning the SLM processes that manage the life cycle of personal data processing applications: in order to comply with the Privacy by Design principle they must be integrated with:
- Identification of personal data stream and those processing operations that will take place during the whole life cycle of data within the organization.
- Precise identification of safety requisites which must be met by the applications and the supporting technological infrastructures in order to safeguard personal data’s RID, in any status they are found (in use, in motion, at rest)
- Defining programming standards ensuring implementation of applications lacking vulnerabilities caused by unsafe programming.
- Defining architectural standards needed to ensure the defined safety requisites
- Defining masking techniques (or similar) for personal data used in other instances from those of production (testing, formation, …)
- Integrating test plans with the verification activities of a correct safety requisites implementation, both at applicative and infrastructural level
- Providing testing activities aimed to verify the efficiency of safety measures and applicative-architectural standards implemented (ethical hacking, penetration test, vulnerability assessment, code review,…)
Who then is defining the requisites, standards and technologic solutions? According to which criteria? And moreover, who is defining the ethical/behavior rules and the relative sanctions? Who is in charge of personnel’s formation? At first glance one would say: who then, if not DPO? Surely DPO has, simplifying, the responsibility of defining the personal data protection framework, then also the model of Privacy by Design, verifying its correct implementation and efficiency in time, but this does not mean that he must operate completely autonomous, he would not be able and would not be expected to have detailed technical, legal, organizational and procedural competences functional to a correct implementation of the Privacy by Design principle. All of the main company roles (Information Security, Risk Management, ICT, Legal, Compliance, Organization, HR, Internal Audit,…), will have to contribute with support and coordination of DPO revising and integrating, for their competences, the processes and technologies used in order to implement a defined and shared model of Privacy by Design and to ensure its efficiency in time.
Since the management model of Privacy by default (PbD) may not disregard the output originated by the system’s typical information safety management processes, it follows that the first steps to be made, before intervening on the processes, are defining or revising, in a PbD optic, at least the following processes:
- Data classification, for a correct identification and classification of data managed by the organization, such as personal data, in all their possible forms
- Risk management, identifying risk exposition of personal data and the following organizational, procedural and technological measures needed to ensure safety. The identified measures will expand the list of safety requisites for safeguarding the personal data’s RID
- Vulnerability management, which also defines, according to data classification and risk analysis, the activities/analysis to implement in the application’s testing phase in order to identify, before it goes into production, possible vulnerabilities which may compromise personal data safety
- Data Masking, to blur personal data used in testing and/or training instances
- Hardening, to define and implement safe system configurations and applications processing personal data
- Training, to train technicians on the safe programming standards and safe architectures
- Awareness, to sensitize the personnel on the aspects and implications concerning management and protection of personal data
- Internal auditing, to integrate the audit plan and the internal monitoring framework in order to implement the necessary efficiency checks for the given model
From such an indicative and non-exhaustive enunciation of pre-requisites, it appears clearly how the implementation of the Privacy by Design principle is subject to definition and implementation of the framework appointed to personal data management in accordance with GDPR. This does not mean that PbD is to be considered only in the later phases of the GDPR readiness project, but rather, it must be taken well in count since the framework designing phase, in order to allow the processes of data classification, risk management etc. to provide the necessary outputs for its correct and efficient implementation and management in time.
During the defining of Privacy by Design, but even more during the defining of GDPR compliance’s framework, we must not forget that the personal data must be protected always and in any case, thus even when not in a digital format. It becomes then necessary to extend what was stated here concerning SLMs to the documental management processes in order to safeguard personal data reported in paper documents. For this aim it must be provided at least:
- Definition of guide-lines for managing documents reporting personal information (document classification, clean desk, document transmission, secure printing, …)
- Adoption of indexes, document holders, folders, etc. with locker, for safe archiving of paper documents reporting personal data
- Revision of operative modalities for “analogic” personal data processing, in order to make them in compliance with PbD principle
At last, according to sanctions provided for by GDPR, it may be necessary to review the internal sanction system, in particular for whom, violating the ethical code, in the given procedures and policies, might compromise the personal data processed by the company, whether digital or “analogic”.