The Privacy by Design framework (PbD) was first introduced by Dr Ann Cavoukian, Information and Privacy Commissioner of Ontario, in the 1990s. PbD “… advances the view that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation.”
The seven foundational principles of the framework are:
- Proactive, Not Reactive; Preventative, Not Remedial: Anticipate and prevent privacy breaches before they occur
- Privacy as the Default Setting: Consent for sharing a user’s data should not be assumed
- Privacy Embedded into Design: Not to be coded as a plug-in
- Full Functionality — Positive-Sum, Not Zero-Sum: Security and privacy should be considered two sides of the same coin, and users must experience full application functionality
- End-to-End Security — Full Lifecycle Protection: Full protection from collection to deletion
- Visibility and Transparency — Keep it Open: Ensure security practices can stand up to public scrutiny
- Respect for User Privacy — Keep it User-Centric: For instance by offering strong privacy defaults, appropriate notice and empowering, user-friendly options
The General Data Protection Regulation (GDPR) requires applications are built, and personal data is stored, within a PbD framework – i.e. privacy by default – framework with a view to protecting user data. While a European Union (EU) regulation, it is extraterritorial and has implications for anyone that does business with Europe.
In this article, we will look at how businesses can use the PbD framework to ensure their systems comply with the GDPR.
GDPR is a regulation in European Union (EU) law on data protection and privacy for all individuals within the EU and the European Economic Area (EEA). The principles (some controversial) behind GDPR have evolved since January 2012 when the European Commission (EC) proposed (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Penny Hoelscher. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/jHqu_MjD-0U/