Privacy and Security by Design as the Key Requirement of GDPR

Benefits of Privacy and Security by Design

Even before GDPR, the need to integrate Privacy and Security by Design approach to the software development process has become an urgent matter, calling for quick action.

On the one hand, this is a direct result of a sharp increase in the scale of digitalization, since the volumes of critical data processed by the unprotected IT systems have grown dramatically. On the other hand, there is a significant escalation in the complexity and variety of cyberattacks, performed on a global scale.

By integrating the Privacy and Security by Design approach to their development processes, businesses can expect a substantial increase in the security level of data, processed by any IT system.

Following the Privacy and Security by Design approach in the process of software development fundamentally lowers risks of security incidents and reduces the likelihood of data breaches, losses, and corruption. Consequently, by following this approach, businesses may benefit from lowered reputational risks, avoid risks of penalties and fines, as well as unexpected expenses on disaster recovery and maintenance of supplied solutions, etc.

Besides lowering the abovementioned risks, applying Privacy and Security by Design approach allows to ensure IT systems compliance with modern privacy and data safety requirements. In this way, this approach allows to stay on the competitive edge, as well as strengthen and increase business readiness to comply with requirements of the ever-changing modern software development markets.

Adaptation Challenges and Findings

A long-term security service provider, Infopulse has been continuously working on improving own competence on Privacy and Data Protection by Design and successfully implements this approach in our projects. Our expertise and experience have proven to be invaluable for GDPR compliance implementation. Infopulse is already working with our suppliers, clients, and partners on said practices adaptation and implementation.

One of the toughest challenges we encountered is related to possible masking methods, specifics of anonymization, tokenization and ensuring of personal data privacy in Big Data projects. Infopulse is currently researching the most effective solutions to these and other issues, many of which we will demonstrate this CeBIT 2018.

A Catalogue of Guides for GDPR Implementation

In this respect, we have assembled our own collection of Guides, Recommendations, and Books for Privacy and Data Protection by Design that might help you implement GDPR compliance to your software development activities.

We are happy to share some of our findings with our clients, partners, friends, and anyone interested. The following list below, presented by Infopulse security experts, includes the most important recommendations and guides in terms of European and world standards – with links included to the related websites.

At the same time, considering the importance (and even an indispensable need) to implement the abovementioned approach in all software development projects, Infopulse urges businesses to create and maintain their own Catalogue for “Privacy and Security by Design” approach implementation, making it available to all internal specialists.

Standards and Guides for Software Development Compliance with GDPR

Norwegian Data Protection Authority (DPA)

• Software Development with Data Protection by Design and Default

European Union Agency for Network and Information Security (ENISA)

• Privacy and Data Protection by Design Report – from policy to engineering, 2014
• Risk Management – Principles and Inventories for Risk Management / Risk Assessment methods and tools, 2006
• Cloud Computing Risk Assessment, 2009

UK Information Commissioner’s Office (ICO)

• Privacy by design resources
• Guides to Data Protection – Anonymization
• Anonymization Code Of Practice

Personal Data Protection Commission (PDPC) of Singapore

• Guide To Basic Data Anonymization Techniques

Information Security Forum (ISF)

• The standard of Good Practice for Information Security

Microsoft

• Security Development Lifecycle (guide and resources),
• The security development lifecycle, 2006 (book)

USA NIST

• SP 800-64 Security Considerations in the System Development Life Cycle
• SP 800-115 Technical Guide to Information Security Testing and Assessment
• SP 800-30 Rev. 1 Guide for Conducting Risk Assessments

International Organization for Standardization (ISO)

• ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements
• ISO/IEC 27002:2013 Information technology – Security techniques – Code of practice for information security controls
• ISO/IEC 27005:2011 Information technology – Security techniques – Information security risk management
• ISO/IEC 27034-1:2011 Information technology – Security techniques – Application security – Part 1: Overview and concepts

Open Web Application Security Project (OWASP)

• Application Threat Modeling
• Code Review Guide
• Secure Coding Practices Quick Reference Guide
• Secure Coding Practices Checklist
• Testing Guide
• Application Security Verification Standard
• Software Assurance Maturity Model

CMU Software Engineering Institute (SEI)

• SEI CERT Coding Standards and secure coding resources

Expert GDPR Consulting and Implementation Services

Infopulse conducts workshops and offers consulting services on various aspects of GDPR implementation and compliance.

We also help companies to apply Privacy and Security by Design on any scale: covering the whole software development lifecycle, as well as focusing on specific aspects of this approach, as well as conduct training and workshops on this matter.

Contact us to learn more!