Six guidelines for privacy by design: Trend Micro

With GDPR now in force, privacy must be top of mind from the outset of any plan or project involving personal data, says Trend Micro, specifically around what personal data is being collected, and what it is used for.

According to the company some organisations are collecting more data than they need, and using it for purposes not clearly outlined for the user. One way to avoid this situation is through data minimisation — collecting only what is needed from customers, using the data for only the purposes agreed to by the user, and adhering to appropriate data retention policies or deleting the data once the purpose has been served.

Anonymising data, on the other hand, makes personal data incapable of directly identifying an individual. The only way it can be linked to a unique individual is by combining it with other pieces of data stored and protected separately. This allows organisations to continue processing personal data and providing services to customers, while protecting their right to privacy.

In addition to categorising the data they collect and mapping its flow, organisations should embed privacy controls at each layer of the infrastructure, down to applications used, Trend Micro said.

Design guideline suggestions include:

- Enforce strict authentication and authorisation mechanisms on devices and applications to verify who can access data.

- Impose strict access policies. For example, setting up remote access through virtual private networks (VPNs), putting up firewalls, and ensuring that any libraries or databases connected to apps are secure.

- Build layered privacy into their applications. Teams should strengthen encryption and secure an app’s network connections. Some apps can also benefit from application containerisation, where apps are deployed in a contained environment, like virtual machines.

- Secure the cloud. Properly configuring servers is one step; limiting accessibility and installing the proper solutions are also important. Enterprises should have a cross-generational blend of threat defense techniques as cloud protection, including protection against network and application threats, detectors for malicious activity, and also security for connected systems.

- Carry out Privacy impact assessments (PIAs) on their data processing and collection activities, so that appropriate responses can be developed ahead of time.

- Invest in privacy education and awareness programs for employees.