Data Protection by Design
This is the new age and new way of doing business that relies on data more than wisdom at the same time make organisations more respectful of ownership of customer’s personal data. Any data that can identify the customer in real world is a personal data.
Recently smart TV maker “Vizio” was fined for spying on its users; Uber employee was caught tracking a journalist using Uber’s tool “God View”, which is only available to Uber employees to track drivers and customers; AT&T was fined $25m because few employees sold customers data; Netflix has been fined in past; Google may face $18b fine for breaking web privacy laws in Netherlands; EU is drawing the line (with GDPR) and if companies cross the line they will be fined € 10 m or 4 % of revenues. Companies build their business model and marketing strategy around data but it is really difficult for company to decide when it becomes unethical. Second biggest problem companies might face is how to control their employees from misusing the data.
GDPR, a data protection by design framework, solves the data privacy issues to large extent and creates a win-win-win situation in which companies get data they want, customers privacy is protected, and government has law in place.
According to law, if an organisation fails to protect the privacy of customer it should be fined. Organisations work data protection by design for coping with threats from hackers, social engineering, and compromised employee including CEO.
GDPR – General Data Protection Regulation – by EU is a framework, guideline, and applicable for any organisation that has day-to-day responsibility of data protection. It is living document that is some changes are still being made. The GDPR will fully apply in the UK from 25 May 2018, and UK government has confirmed Brexit will not affect the commencement of GDPR. Under GDPR, data protection of customer’s personal data is main responsibility of organisations – Controllers and Processors.
Subject - Personals who possess personal information and submit information
Controller - Organisations that collect information, store information, and forward information
Processor - Organisations that do correlation between information, process information, do analysis.
GDPR places strong emphasis “consent” and how subjects have more control over the consent they give to controllers and processors.
Organisations need to do data and network mapping - Get to know every data they collecting, where they are storing, and were they are forwarding. Organisations need to know the processor for each and every data. Every time they bring a change - small or big software or infrastructure change - do impact assessment on how data will be handled, who will process, and where and how data leaks might happen. Review organisational policies and procedures and verify that they are GDPR compliant. Most important right now is how Organisations plan and implement the protection strategies.
Two big question should and would come in users mind one day or always:
1. What is happening to my data? How data is managed.
2. Who can access my data? How data is accessed.
Above two questions are also core and motivation behind GDPR.
Organisations need to address both questions in GDPR context; the organisations need strategies to handle both questions, that is strategy for Data Management and strategy for access management.
In following sections, we will see in detail what is recommended strategy in GDPR for Data management and Data Access.
Minimization - Information should be collected to bare minimum and also only minimal should be stored. For example, if company is doing survey and they don’t need to identity or name of user they should not collect it. If any extra information is collected (it is still allowed to collect more info) it must be encrypted; therefore, any extra data collected and/or stored by company should be hidden (encrypted). Data collected should be stored in chunks means not all information at one place so that whole information is not hacked. Later chunks are aggregate in a secure database.
One of the major source of information within organisations is Log file - a file that records events and every evet has some details for an example a fund transfer event will be logged in log file with details such as amount, from account, to account, payee details, date, time, IP address, etc. and log files are used for organisations for debugging or monitoring if any issue comes in future. GDPR applies to Log files and a log entry with card number will be invalid. Organisations now need to filter data that goes in log file; they need to encrypt data and store anonymized data (user can't be identified by data); they need to protect data during storage and transfer.
Break information (data collected for a user) into two parts: Process-able data and personal data (information that is not needed at this point but is important - It should not be necessarily personal data). The two types of information are stored separately. The two information are related by a correlation key. Aggregate all data in one centralized location and further from there distribute required data to tools doing analysis.
GDPR recommends every organisation to hire a data protection officer. DPO will report to supervisory authority which is an entity in EU to updating them that GDPR is followed and DPO need to provide evidence that organisation is GDPR compliant. DPO will govern all data handling processes within organisation and monitor privileged people, who have access to major data, within organisation. Privileged people will include Database administrators, support people, analytics people, etc. who have access to personal information of end users. People with high profile account that have access to any server, data base, and application, they can alter data, and they function unsupervised. DPO will document every activity done for personal information. An access management device monitors the stores where personal information is stored. If unauthorized attempt is noticed, then DPO should be alerted and connection would be blocked. DPO will have to put in place real monitoring system between privileged users, clients, and machines that contain personal information; also, capability of revoke access at any time. DPO will receive an audit trail of all activities done by privilege users on personal data
Consent = Genuine Choice + Understanding the implications.
The subject (customer) gives consent based on understanding the implications, subject had choice, subject can manage consent, and subject can revoke consent.
Individuals will be informed (in clear, plain, and concise language) whenever their data is used and Individuals have power to access, rectify/modify, erase/delete, restrict, extract and reuse for personal purpose, etc.
Organisations need to present a consent form, which won’t be similar to multiple pages long complex EULA, and individuals will fill form and consent receipt will be generated. GDPR sets standards for consent form as being specific and unbundled (separate from terms and conditions), unticked opt-in boxes by default, granular (different check box for different type of use), named (organisation and any third party who can possibly use personal data), documented (history and track), easy to withdraw (anytime individuals can withdraw using form), and consent should not be pre-condition for a service unless required (customer can use Google search without providing personal data).
Consent Receipt is the record of the consent provided by PII (Personal Information Identifier) Principal (natural person to whom PII relates to) or Subject to Controller to collect, use, and disclose PII in accordance with an agreed set of terms.
Consent Receipt will be a simple form number of fields and it will be available on customer’s mobile and customer will be able to view, modify, or revoke the consent given to any organisation. They will be informed when their data is shared and they will be able to delete their data. Indeed, customers will have full and granular control of their personal data even though data is stored remotely in premises of companies.