You should have noticed it. Privacy is in the digital world still an issue. A bit strange since there are only 25 days left until the new EU General Data Protection Regulation (GDPR) will become fully enforceable throughout the European Union . This regulation is an important change in data privacy regulation for every company who deals with EU individuals. The new GDPR regulation rules are already known for several years so implementation and adoption of these regulations should be finished for all organizations that are effected. But some things are not changed overnight and this abstract regulation is not well known by business owners. So a lot of (new) companies are trying to scare you and are aggressively selling magic solutions for your own benefit. This so you do not have to worry about this new regulation or the risk of penalties when you do not apply the regulation correct in your organization. However make sure you do not get cheated, misinformed or scammed. There is no easy magic solution to meet privacy regulations.
Privacy, security, Internet and IT systems are complex and form a toxic mix. Many things can and will go wrong. Often it is just a manner of time before real incidents happen. Since detection of privacy and security breaches is also non trivial to accomplish there is a great chance you will never known that your data is seen or copied by unauthorized persons. Privacy is a core value of individuals of democratic societies.
So a valid question is: Will this new GDPR help? Or will companies or governmental organizations still be able to track and trace you? The GDPR official document ( called Directive 95/46/EC) is 261 pages long. Even for trained security & privacy architects this GDPR document is hard to handle. Mainly due to the fact that layers did a great job to making it opaque what kind of measurements are really needed. Since every organization uses IT nowadays the GDPR is discussed a lot. But instead of discussions and writing philosophical reflections on the subject of privacy we are searching and developing a better reference architecture for privacy. This to do privacy good from the start and to be resilience for changes. Good systems are designed using principles. And since security and privacy can never be done correct afterwards you must design or redesign your information systems and take security and privacy as top requirements to reduce risks. Below some simple design rules to do privacy by design good from the start:
- No security = no privacy. Dead simple. You can never do privacy correct if security is hardly implemented.
- Use an open design. The security and privacy should not depend on secrecy of the design and implementation. This accounts for your core IT systems, but also for your control and management systems. So go for real open.
- Defensive data collection. Only collect data that is really needed. Limiting data collection and (long term)storage prevents risks on data leakage.
- Reduce IT complexity. Besides high cost for maintenance and change, complexity can lead to severe risks that can impact security, privacy and safety for humans. See the 0complexity RFC.
More principles can be found here. One issue that makes the GDPR hard to handle is that also other laws, norms and social norms are part the architecture process when creating IT systems. Since more data makes IT systems most of the time far more usable, user friendly and valuable there can be tension between business goals and privacy requirements.
This blog post will be added (after rewrite) as an extension on the ‘Open Reference Architecture for Security and Privacy‘. We are working on an renewed version. Please join us! 