Privacy by Design in Practice

As the IBM 2020 Cost of a Data Breach report outlines, the year has not been a good one for privacy, so far – with $3.86 million global average cost of a data breach, and the healthcare still being the most vulnerable sector.

It is little surprise that on both sides of the ocean, regulators and advocacy groups are intensifying their scrutiny. Two years after it was officially introduced, the most visible European initiative is still the GDPR with strict requirements on data processing. This is secured by fines of up to 4% of global revenues of wrongdoers. In the US we have observed a large number of huge breaches such as the Zoom credential sale in April (500 000 passwords stolen) and the second Marriot breach in March (5,2 million people impacted).

The spread of the COVID-19 pandemic has also had a huge impact on the way companies do business leading to additional information security threats. Plenty of employees are now working from home and using VPN to connect to corporate networks, there is also an increased demand for video conferencing, cloud applications and network resources.

Privacy by Design

Data breaches are bad for both business and consumers, leading to ruined reputations, decreased trust, increased churn, and direct operational and legal expensesOn the other hand, preventing data breaches remains a challengeThus, the requirements on system development increase by mandating the baking-in of privacy into the Software Development Life Cycle. This is the new paradigm of Privacy by Design, also enshrined in Article 25 of the GDPRInitially conceived by Ontario’s Information Commissioner Dr.  A. Cavoukian, it consists of seven broad overarching principles:
Principles of Privacy by Design-Infographic

Organizational and IT Measures

But how do those lofty principles fit in practice? They require a convergence of organizational practices and technological measures that provide for a high level of data protectionThe organizational side is the more familiar one – a combination between policies, processes, and standard operating procedures is mustThis is then meshed together with a strong management push and extensive training towards a privacy-friendly cultureWhile this is more easily said than done, implementation is still within reach for (almost) all organizations.
On the technological side, things are more complicated. While privacy-enhancing technologies (PETs) have proliferated, they remain merely pieces of the privacy puzzleDevelopers and security officers do have an understanding that a combination of secure multifactor authentication, strict access controls, data encryption and tamper-free logging are important components of the security architectureHowever, companies have to piece all those components together.The context and the risk assessment will call for additional ones, and then the entire solution is to be rolled out and continuously supportedGiven the vast amount of human and financial resources needed, this is a formidable challenge for even large organizations, let alone the medium and small business.

Real-life Implementation

This is why some businesses opt for the gray area where they implement subpar protection in the hopes that regulators, activist consumer groups or competitors will not catch up on this. This needlessly exposes them to business risk that may be massive in scope. A potential solution to this problem is to leverage a cost-efficient proprietary solution that takes care of most, if not all, of the compliance needs. External vendors leverage economies of scale and scope and can provide both cutting-edge technology and advanced legal and organizational support. We at LogSentinel are focused on providing exactly this kind of cost-efficient and powerful solutions for the small and medium businesses.
Our product SentinelDB is a fully compliant and extremely secure database on the cloud that effectively prevents data breaches. We are able to offer multiple levels of encryption, AI-driven anomaly detection, and blockchain-enabled logging capabilities, thus bringing privacy protection to the next level. Irrespective of the solution, however, businesses will need to be conscious of privacy protection if they are to continue using and generating profit from a crucial asset – personal data.
Like this article? Share it with your network!