• About Us
  • Contact
  • Careers
  • Send Us a Tip
Menu
  • About Us
  • Contact
  • Careers
  • Send Us a Tip
CyberNews logo
Newsletter
  • Home
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
Menu
  • Home
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
CyberNews logo

Home » Privacy » What does data protection by design actually mean?

What does data protection by design actually mean?

by Emma Woollacott
24 December 2020
in Privacy
0
Privacy in ascending letter blocks surrounded with human action figures

© Shutterstock

34
SHARES

In October, the European Data Protection Board (EDPB) adopted a final version of the Guidelines on Data Protection by Design & Default – essentially an updating of the privacy by design principles enshrined in the GDPR in 2018.

The basic idea is that data protection should be baked in by default to any new systems handling personal data, rather than bolted on at a later date. This means, for example, building in pseudonymisation and encryption, and limiting the availability of personal data as tightly as possible.

Data controllers are required to implement ‘appropriate’ technical and organisational measures to protect the rights and freedoms of data subjects, along with ‘necessary safeguards’. They also need to be able to demonstrate that the measures they’ve put in place are effective, and to continually monitor and update them. 

A long-standing concept

The basic concept of privacy by design dates back to the mid-1990s, and was first floated by Dr Ann Cavoukian, the former information and privacy commissioner for Ontario. 

It was recognised as an essential component of fundamental privacy protection by regulators at the International Conference of Data Protection Authorities and Privacy Commissioners in 2010, and now forms part of many well-known privacy frameworks such as OWASP and NIST as well as, of course, the GDPR. 

But it’s all very well having principles; it’s how they’re implemented and enforced that matters. And as Nigel Thorpe, technical director at data security specialist SecureAge Technology, points out: 

“Data protection by design and default is a hugely important principle within GDPR. However, there is no guidance on exactly what this means in terms of standards, techniques and protocols that should be adopted. This has led to patchy implementation of the principle.”

The first fine for breaching the rules came in June last year, when Unicredit Bank was fined €130,000 for a ‘failure to implement appropriate technical and organisational measures’ that led to the disclosure of customers’ personal data.

A few months later, there was a rather more significant fine – €14.5 million – for German real estate company Deutsche Wohnen. The company was found to have stored the personal data of tenants without a legal basis, and without implementing privacy by design; it seems the company’s systems had been set up in such a way that it was not possible to delete obsolete personal data. 

Should the principles be more specific? 

In practice, informal checklists are available from, for example, the Norwegian data protection authority and the European Union Agency for Cybersecurity (ENISA). However, the EDPB has deliberately stopped short of doing the same.

And without an official checklist, it’s hard for organisations to be completely sure that they’re complying with data protection by design and default rules. However, says Matthew Gardiner, principal security strategist at Mimecast, it would be impractical to mandate specific technical measures.

“Ultimately, laws and regulations have a diminishing impact when they run into the reality on the ground,” he says. 

“Governments can be very helpful on the fronts of law enforcement, international cooperation, and education as well as applying excellent security and privacy practices in their own operations, but legislating good security and privacy practices for every organisation in their jurisdiction at a detailed level would be rife with unintended consequences.”

Share34TweetShareShare

Related Posts

Uploading on mobile screen and Data Protection on desktop screen

Privacy and data protection trends in 2021

20 January 2021
An unintended consequence: can deepfakes kill video evidence?

An unintended consequence: can deepfakes kill video evidence?

14 January 2021
Red Personal data drawer

Is your data your personal property?

13 January 2021
Data collection cheat sheet: how Parler, Twitter, Facebook, MeWe’s data policies compare

Data collection cheat sheet: how Parler, Twitter, Facebook, MeWe’s data policies compare

12 January 2021
Next Post
Robot hands playing piano

DeepMind AI decodes the language of life. But at what cost?

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

Popular News

  • 70TB of Parler users’ messages, videos, and posts leaked by security researchers

    70TB of Parler users’ messages, videos, and posts leaked by security researchers

    83053 shares
    Share 83043 Tweet 0
  • The ultimate guide to safe and anonymous online payment methods in 2021

    13 shares
    Share 13 Tweet 0
  • 8 best cybersecurity podcasts for 2021

    56 shares
    Share 56 Tweet 0
  • Walmart-exclusive router and others sold on Amazon & eBay contain hidden backdoors to control devices

    13365 shares
    Share 13361 Tweet 0
  • Network Attached Storage

    0 shares
    Share 0 Tweet 0
Wall Street vs Main Street fight quashes hedge funds as GameStop keeps rallying

Wall Street vs Main Street fight quashes hedge funds as GameStop keeps rallying

27 January 2021
Google to stop using Apple tool to track iPhone users, avoiding new pop-up warning

Google to stop using Apple tool to track iPhone users, avoiding new pop-up warning

27 January 2021

‘World’s most dangerous malware’ Emotet disrupted

27 January 2021
The satellite-hacker’s guide to the space industry: don’t panic (yet)

The satellite-hacker’s guide to the space industry: don’t panic (yet)

27 January 2021
Man in front of multiple computers

North Korea has been targeting threat researchers

27 January 2021
GameStop extends Reddit driven hyper-rally after Musk tweet

GameStop extends Reddit driven hyper-rally after Musk tweet

27 January 2021
Newsletter

Subscribe for security tips and CyberNews updates.

Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!
Categories
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
  • VPNs
  • Password Managers
  • Secure Email Providers
  • Antivirus Software Reviews
Tools
  • Personal data leak checker
  • Strong password generator
About Us

We aim to provide you with the latest tech news, product reviews, and analysis that should guide you through the ever-expanding land of technology.

Careers

We are hiring.

  • About Us
  • Contact
  • Send Us a Tip
  • Privacy Policy
  • Terms & Conditions
  • Vulnerability Disclosure

© 2021 CyberNews

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.

Home

News

Editorial

Security

Privacy

Resources

  • About Us
  • Contact
  • Careers
  • Send Us a Tip

© 2020 CyberNews – Latest tech news, product reviews, and analyses.

Subscribe for Security Tips and CyberNews Updates
Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!