“Every man I meet wants to protect me. I can’t figure out what from.” ― Mae West
If only we lived in an online world where nobody wished you harm. The (soon to be enacted) General Data Protection Regulation seeks to protect us all from either the unknown or the unseen perpetrator wishing us harm and for organisations to comply with the regulation they’ll need to prove that their systems and processes protect our data by design and by default.
The Regulation calls for your organisation – the Data Controller – to “both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures” it then goes on to say, “designed to implement data-protection principles, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects”. So, to plagiarise Mae West, we still can’t figure out from who or what, but we definitely need to be protected.
Whilst this may be one of the shorter statements in the regulation, it is undoubtedly one of the most complex to comply with.
Mitigating the impacts of a data breach
Today, and historically, we have wrapped databases and content repositories with layers of security and firewalls. A few have taken the further step of encrypting core structured data (which is not so easy with unstructured content) but this still does nothing to address the other aspects of data protection such as ‘anonymisation or pseudonymisation’ (depersonalising the data) and ‘data minimisation’ (reducing the quantity of data processed by removing all unnecessary detail).
‘By design and by default’ are core components of the regulation and failing to address them, relying on historically insecure and insufficient technologies, will be no defence when you have a data breach. And be under no illusion – you WILL have a data breach… at some point. If privacy is embedded ‘by design and by default’ then you will be in a position to mitigate the impacts of any breach.
Innovative organisations seeking to maximise the opportunity that GDPR presents are scrutinising every aspect of what they currently do and, more importantly, what they could do, what tools and capabilities are available and working to ensure they embed ‘by design and by default’ at the centre of everything they do.
Data protection ‘by design and by default’ is easy to overlook and it’s very hard to do. We all know that change is difficult and this particular change is especially difficult. But ignorance is no defence.
Talk to Project One to understand what you could do, should do and ought to be doing. Or, in deference to Mae West, perhaps we should say “why don’t you come up sometime and see me?”. And just in-case you’re wondering, no, I don’t think we’re related.