Digital transformation cannot and will not be stopped: there are 600,000 new internet users every day. But as the amount of people content streaming, shopping, working and gathering online continues to grow, so does the opportunity for a data breach. Every time we create a new account, send payment information or even just check our email, there is risk involved. So what can be done to keep our data safe?
It starts from the ground up. Businesses have a responsibility to ensure that they are doing their part to build safe, secure products. CISOs need to work closely with product owners within the business and help them understand the importance of designing products that feature data protection by design.
Here are 10 critical privacy considerations to consider:
- Minimization – only collect and use the minimum amounts of personal data required to achieve the desired outcomes (This should be the Primary Rule!)
- Purpose of processing – be very clear about the purpose(s) in which you are processing personal data. Make sure these purposes are both lawful and carried out fairly. This is specifically important where any special category data or other sensitive data may be used.
- End-to-end security – how will data be secured both in transit (in and out of the app, service or product) and when it’s at rest?
- Access controls – ensure access to data will be restricted only to those who need it for specific business purposes, and that the level of access (e.g., view, use, edit) is appropriate for each user group.
- Default settings – aim to create proactive, not reactive, measures to protect the privacy of individuals, such as having to check a box to opt into something of interest rather than having to uncheck an already checked box.
- Data sharing – will personal data be shared with any third parties? If so, what will the lawful basis be for sharing this data?
- Transparency – have we notified individuals of this new processing? (Remember, this may include employees as well as customers). If we’re using AI, can we explain the logic behind any decisions that may affect individuals? Have people been told where and with whom their data will be shared?
- Information rights – make sure processes are in place to handle information rights. For example, can data be accessed to respond to Subject Access Requests? Can data be erased or rectified?
- Storage limitation – appropriate data retention periods should be set and adhered to—taking into consideration any laws that may apply.
- Monitoring – what monitoring will or needs to occur at each stage to protect data?
Having development and product managers involved and well-informed, with these considerations in mind, aims to make better and more secure products that support individuals’ rights for privacy.
And finally, committing to having processes and policies in place to provide guidance on security aspects and having them externally validated by certification partners, such as Cyber Essentials, gives a level of assurance, not only externally but internally, among your workforce.
With all of the places we engage with every day for work and during personal time, it’s critical for every company to keep security top of mind. We hear about data breaches consistently in the news, and taking these proactive steps can help mitigate risks for your employees, customers and partners. Let’s focus our goals for 2022 on cybersecurity. Feel free to reach out to me on social media with questions.