In this Help Net Security interview, Bojan Belušić, Head of Information Security & IT Operations at Microblink, discusses the relationship between Privacy by Design and regulatory frameworks like GDPR. Integrating privacy principles from the outset of product and process development ensures compliance and enhances efficiency and effectiveness.
He also addresses common challenges organizations face, particularly those with legacy systems, while advocating for a culture of awareness and continuous improvement in privacy and security practices.
Belušić is one of the speakers at the DEEP Conference, a CISO-focused event, taking place later this month.
Can you explain the relationship between Privacy by Design and regulatory frameworks like GDPR?
Privacy by Design is a principle in product and process development which aims to implement privacy requirements like data minimization, transparency, consent, retention and deletion from the start. It is one of the key requirements of the GDPR (data protection by design), like lawfulness of processing and data accuracy, integrity and confidentiality. Although this is something explicitly referenced in the GDPR and is an obligation for data controllers in the EU area, it is still rarely done in practice.
Implementing Privacy by Design and Security by Design from the start of the project makes related requirements much cheaper and time efficient as opposed to implementing those requirements once the project is done. It also ensures a higher quality of the implementation which, in turn, reduces the probability of incidents, and consequences from those incidents. That’s why organizations should invest more in applying these principles.
In your experience, what are the common challenges organizations face when trying to implement Privacy by Design, especially when dealing with legacy systems?
Organizations still have a lot of prejudice when discussing principles like Privacy by Design which comes from the lack of knowledge and awareness. A lot of organizations which are handling sensitive private data have a dedicated Data Protection Officer only on paper, and that person performing the role of the DPO is often poorly educated and misinformed regarding the subject. Companies have undergone a shallow transformation and defined the roles and responsibilities when the GDPR was put into force, often led by external consultants, and now those DPO’s in the organizations are just trying to meet the minimum requirements and hope everything turns out for the best.
Most of the legacy systems in companies were ‘taken care of’ during these transformations, impact assessments were made, and that was the end of the discussion about related risks. For adequate implementation of principles like Privacy by Design and Security by Design, all of the organization has to be aware that this is something that has to be done, and support from all the stakeholders needs to be ensured. By correctly implementing Privacy by Design, privacy risks need to be established at the beginning, but also carefully managed until the end of the project, and then periodically reassessed. This is something that should also be done in legacy systems, and especially for major changes on those legacy systems.
Privacy by Design and Security by Design are often compared. Can you elaborate on how these concepts intersect and where they differ in focus and implementation?
Privacy by Design and Security by Design are often intertwined and by implementing one of those principles you will certainly be working on the other, too. Security by Design is a principle that approaches system and software design and implementation with security measures embedded from the start and throughout the whole development lifecycle, and not as some subsequent test and patch exercise. Both of those principles start with a risk assessment, but one is more focused on confidentiality of personal data and data subject rights, while the other is generally concerned about the confidentiality, integrity and availability of all data and related systems.
Some of the requirements and related measures for each principle overlap, like least privilege, need-to-know access, data encryption, and audit logging. Nevertheless, there are fundamental differences as Privacy by Design is more of a legal question, focused on processes and procedures, and Security by Design much more heavily relies on the technical implementation of measures, like encryption, authentication, input validation and error handling.
Can you share some best practices for smaller organizations or startups looking to incorporate Privacy by Design into their operations?
As I already mentioned, implementation of Privacy by Design depends on having a strong and well-educated Data Protection Officer and support by the top management, which will then ensure these requirements are discussed adequately throughout the organization. The DPO then has to invest a lot of time in raising awareness in the organization and making sure that they will be included and consulted every time a system or a process which is handling personal data is being changed in some way.
Startups and Scaleups tend to be more open to accepting certain risks, and especially those which rely heavily on large datasets, such as companies working on AI projects. Those organizations need to be aware that putting privacy and security risks aside at the beginning makes them much harder to resolve later in the future. Correcting mistakes done years ago can be a difficult or even an impossible task.
What advice would you give companies on staying proactive with Privacy by Design to avoid being reactive to regulatory changes or data breaches?
The answer to this question is the same in regards to both Privacy and Security by Design, investing in education and raising awareness. Both DPO’s and CISO’s need to put effort in educating themselves, and then disseminating the information about risks and best practices to top management and their colleagues in all parts of the organization. I would suggest to everyone to use all of the tried and tested best practices and standards they have at their disposal, like ISO 27001 and 27701, or OWASP ASVS.
I would also recommend to everyone in this field to engage the organization as much as possible, discuss constantly about privacy and security risks, share related information throughout the organization, and generally push themselves to be a few steps ahead of the curve.