As is often a theme when implementing security and privacy measures in an organisation, harmony is the key element to achieving this successfully. Different areas of the business need to come together as one to implement a strong and secure culture of privacy. Privacy and security are fundamentally intertwined. IT security teams must consider the legal obligations when developing or implementing systems in order to ensure personal data is safe and legal and compliance teams should understand the capabilities of their systems to help find that balance that allows for safe technological advancement.
Standardisation mindset
We wouldn’t expect either business unit to completely understand the complexities of both privacy and security and therefore standardisation in approach and mindset could be key to helping the two elements come together. Working within a framework of rules and actions that remain constant and simple to follow could ensure successful growth and development while still remaining secure and compliant.
Uniting privacy and security
You can bring the two together by following a framework that begins by conducting a risk assessment prior to starting any new project. Use a common business language across the framework. Consider security framework certification, such as ISO standards, to help develop a language and culture that spans the organisation. Cross train departments to give each unit an opportunity to better understand the other. Legal and Tech are two sides of the same coin and need to train each other to determine how security can best be developed into technology. IT Teams will need to have an understand of the benefits of data - what we CAN do with it – as well as what we can’t do.
Privacy by design
The value of data protection is a hot topic right now and people are starting to understand the importance of data ethics and of incorporating privacy into development strategies. The notion to “shift left” in a privacy context is to ensure that sufficient efforts are applied by DevOps to guarantee application security at the earliest stages in a software development or implementation lifecycle. Implementing privacy by design.
“Privacy by Design” means nothing more than “data protection through technology design.” Behind this is the thought that data protection in data processing procedures is best adhered to when it is already integrated in the technology when created.
Privacy by design principles:
- • Proactive not reactive; preventive not remedial
• Privacy as the default setting
• Privacy embedded into design
• Full functionality—positive-sum, not zero-sum
• End-to-end security—full lifecycle protection
• Visibility and transparency – keep it open
• Respect for user privacy—keep it user-centric.
Collaboration is key
Collaboration between Tech and Legal is the first ingredient to a successful privacy by design strategy. Ethics, privacy and security must be considered by everyone when building a solution, developing a technology or implementing a new technical solution. Legal/Compliance and Tech departments must work together to understand both the end goal of the solution and the liability and responsibilities of the organisation.
These principles work in reverse as well. While IT Security Teams should understand the legislation and what is expected from a legal standpoint when implementing security controls, GDPR professionals and Data Protection Officers must be equally skilled in the fundamentals of IT security.