How to safeguard data and comply with the GDPR and similar legislation

London bridge lights moving quickly

London bridge lights moving quickly

With the GDPR in effect for some time now, organizations must ensure that their products, services and processes are GDPR compliant as well. The optimal way to do this with current and future business initiatives is by establishing a culture of privacy by design and default in your organization, as well as perform a privacy impact assessment (PIA) as needed.

We like to think of it as three ways to establish a strong data security foundation in your organization, and we’ll break each one down in this short blog post.

What is Privacy by Design?

Privacy by Design means you factor in the protection of personal data into the design or process from the onset, when developing services and products. This is often viewed as the backbone of your overall compliance efforts.

Here are some examples of what this means in practice:

    • An app only asks for data that is strictly necessary for the functioning of the app, and nothing more than that

    • Personal data are automatically (and irreversibly) anonymized and are stored separately from the source data, the source data is then destroyed

    • Automatic anonymization or pseudonymization

    • Two-factor authentication of users for more robust access security


What is Privacy by Default?

Privacy by Default means technical and organizational measures are in place so that personal data can only be processed for the purpose for which it was collected.

An example of this is to share personal data only with external parties using structured, encrypted protocols. For unstructured communications, such as email, chat, or file transfers, it is recommended to use a secure platform such as ZIVVER to safeguard against data mishandling, while also taking care of encryption, authentication, and logging.

How to Perform a Privacy Impact Assessment (PIA)

A PIA analysis is only necessary if the processing involves an increased privacy risk, for example in the case of profiling or when new technology is introduced.

Important assessment criteria for a PIA include:

    • Why and for what reason(s) is the collected personal data being used (and how is this warranted)?

    • How are the risks being eliminated or minimized?

    • Map out the privacy risks of the most sensitive processes. Do this for the introduction of new technology as well

    • Define and take measures to minimize the identified risks

    • Assess the effect of the measure taken and adjust if necessary

Looking for more information on how to become GDPR compliant?

Some studies have shown that nearly half of organizations are still struggling to comply with the GDPR, so if that sounds like where you work, you’re not alone. But where do you begin?

Our team of in-house experts have helped to simplify this process for you in the form of our new easy-to-follow Data Protection Compliance Guide, which includes a comprehensive GDPR checklist.

We’ve also included a list of ten questions that every data security professional should ask, plus what you can expect with UK data protection regulations post-Brexit, and what organizations can do now to prepare for any potential changes.

Get the Checklist

 

Written by

Kate O'Neill

Orginally published on September 4, 2020

Last update on October 1, 2020