In September 2016, Yahoo was poised to be acquired by Verizon when it announced it had suffered the biggest data breach in history in 2014. Later the company estimated that 3 billion user accounts had been compromised. The buy-out went through, but the breach knocked approximately $350 million off Yahoo’s sale price. This is an example of the type of risks data protection impact assessments (DPIAs) are intended to prevent. What are DPIAs? They are one of the five essential strategies an IT department must enact to comply with the General Data Protection Regulation (GDPR). In our brave new world, personal data makes the world go round, so it must receive all the necessary protections by companies that deal in data.
Let’s take a look at the five strategies for IT departments and then dive deeper into each.
1. Data protection impact assessment (DPIA): Create data protection risk profiles and assess processing of sensitive data
2. Privacy by design: Build privacy into software design from the outset of a project
3. Privacy by default: Apply the strictest privacy settings for products and services
4. The right to be forgotten: Provide individuals with the right to have personal data removed or erased from company servers storing their data
5. Reporting a personal data breach to the Supervisory Authority: Have a response plan in place should a data breach occur
When an organization deals in personal data, the individuals whose data are being processed are exposed to risks, such as phishing attacks that result in stolen data or identity theft. A DPIA is a process by which an organization identifies the risks related to data processing and works to mitigate the risks. The GDPR mandates that DPIAs are in place for any data-processing activities that may result in a high risk to the privacy rights of the data subject. DPIAs make it less likely that a hacker will seize your credit card information and go on a virtual shopping spree on your dime.
All risks identified in the DPIA must be mitigated before any data processing can take place. If a DPIA identifies a risk that a company believes it cannot mitigate to control the risk, the company must consult with the relevant supervisory authority before processing any data.
Privacy by Design and by Default
The GDPR also requires that systems for processing personal data ensure that privacy is built into the design from the outset of a project. When planning for a software development project, security and privacy must be taken into account rather than waiting until the end phases of a project when the required specifications may be too time-consuming or expensive to fix. There should be no procrastinating when it comes to privacy by design.
In general, privacy and data protection must be considered when:
• Developing IT systems for storing, accessing, or processing personal data
• Designing new products or services involving personal data processing
• Designing policies or strategies with privacy implications
• Launching a data-sharing initiative
• Using data for new purposes
For privacy by default, the strictest privacy settings should automatically apply for products and services and no manual change to such privacy settings should be required on the part of the user.
For example, if a customer signs up for a service with a profile on a social media site, the standard profile should show the minimum information required and not add additional elements, such as age and location. In other words, it’s good news if they’re trying to pass for 30 when they’re really 44 on their favourite social media site.
The Right to Be Forgotten
The right to be forgotten gives individuals the right to have personal data removed or erased from company servers storing their data. Once the original purpose or use of the customer data has been realized, your customers can request that you permanently erase their personal data.
Notifying the Supervisory Authority of a Data Breach
If your company falls victim to a data breach, you have just 72 hours to report the incident to the GDPR supervisory authority and your customers. Data breaches are any security incidents where personal data has been lost, stolen, or accessed by unauthorized third parties. In fact, if the data breach is likely to adversely affect individuals’ rights and freedoms, the regulation recommends you inform the affected parties even sooner.
The GDPR raises the bar on handling consumer data and challenges IT departments to have air-tight data protection measures. If your IT department enacts the five essential strategies for complying with the General Data Protection Regulation, your company will be well-positioned for the brave new world of data as valuable currency.