With the forthcoming introduction of the EU’s General Data Protection Regulations (GDPR) in May 2018, there is now a definite move toward privacy by design, meaning organisations must build data security safeguards into processes, from beginning to end.
Organisations will become accountable for the Personally Identifiable Information (PII) they hold; they must know where it resides and how to secure it (at rest and in flight).
So What Does This Mean for the IT Security Professional and the Organisation as a Whole?
Reporting of Data Breaches
Data breaches must be reported within 72 hours of being detected. Organisations are liable for any breaches, with penalties of a maximum of €20 million or 4% of annual revenue, whichever is greater.
Data Protection by Design
Under GDPR, data protection and processing safeguards must become part of the DNA of all systems and processes, with data protection by design based on seven “foundation principles”:
- Proactive, not reactive; Preventative, not remedial.
- Privacy is the ‘default’ setting.
- Privacy is embedded into the design.
- Full functionality: positive sum, not zero sum.
- End-to-end security: full life-cycle protection.
- Visibility and transparency: keep it open.
- Respect for user privacy: keep it user-centric.