GDPR compliance as a market differentiator 

Companies serious about GDPR compliance understand its role in maintaining their market position. Those who are proactive are quicker at placing themselves on a purchaser’s list of adequate suppliers. When processing data from people in Europe, the GDPR applies. It forces an organization to implement measures and maintain records of compliance. Even if an organization is not currently processing that data, building in regulatory compliance early supports future collaborations and partnerships with larger organizations and ensures the trust of product users.

Regardless of whether a software developer operates in a B2C, B2B or B2B2C context is irrelevant. The processing of personal data anywhere on that chain of services needs to comply with GDPR requirements. Thus achieving and maintaining compliance allows an organisation to be a supplier that implementing clients consider. For instance, a software developer for a small start up is able to integrate fundamental privacy by design and default principles in their design. This includes practices such as implementing end-to-end security, hashing, and other cryptographic measures.

Transparency makes the product more competitive if it is to be implemented through partnerships or sold as a SaaS. Procurement negotiations might still bring up specific questions and feature requests to be added to the agreements your organization signs as a vendor. By prioritizing compliance, any solution developed is more likely to remain on the list of suppliers worth considering especially if the negotiation deals with business in the EU. Implementing privacy preserving design features allows an organization the competitive edge of transparency.

Major fines

Tech giants, Facebook, Google and Amazon, regularly face severe fines for non compliance. These fines are essentially caused by deliberate ambiguity in their data processing and the fulfillment of their transparency requirements. Worse, they disregard their data controller obligations and get fined for a combination of hidden processing practices and implemented dark patterns. In May 2023, Meta, was hit with a 1.3 billion euro fine for lack of GDPR compliance. This is the largest fine to date. Amazon was fined for 746 million in 2021 for lack of user consent collection when advertising. When companies get fined, several factors come into play. This could potentially include their willingness to cooperate and implement corrective actions. However, a constant factor includes lack of transparency, misleading patterns and a lack of legitimization of processing.

However, most businesses are small-to-medium-sized enterprises (SMEs). This term is technically defined by the European Commission as a company with less than 250 employees. For an SME, GDPR compliance is harder to achieve due to proportionally reduced resources or access to expertise. Therefore, if an SME is able to achieve compliance, they recover the competitive advantage over larger players lost on operational costs. Tech giants are consistently pressured to maintain compliance due to their increased visibility. Therefore, compliance, when managed efficiently, is a defining competitive advantage for smaller companies.

GDPR compliance as a political or social issue 

When tech-savvy individuals go online, they tend to protect their own privacy by using strong passwords. Some examples of this includes increasingly using MFA where available or using pseudonyms and single use email addresses where possible. With the help of a few high profile breaches and updates to app marketplace practices and communication strategies, the average user has become more aware of the online privacy risks. Software developers tend to implement best security practices in their own use of software and apps. As a result, they are particularly best suited to understand the need for security. They are also specifically instructed to implement strong security practices and privacy design patterns such as content security policies for websites. As creators of technology, software developers have an ethical responsibility to protect the privacy of individuals and empower them to use their software or services more privately. 

Through implementing best design practices such as the minimization of cookies, the forced use of MFA, the encryption of user data, a privacy by default approach to design, designers create privacy-preserving environments. While the expectation might be that less tech-savvy individuals are likely to show relative indifference about their own privacy, one study entitled Caring is not enough: the importance of Internet skills for online privacy protection, argues that even if people do care they also need to be educated on how to protect their own privacy. It is not uncommon to feel helpless protecting one’s own data or safely using the internet. Typically, a lot of the burden for security falls, wrongfully, on the individual.

Should the average user be expected to know how to make use of encryption to feel safe online? 

For many, cookie banners are annoying interfaces, easily brushed away by clicking the “Accept all” button. Configuring a cookie banner to not set non-essential cookies by default, makes the organization compliant on that requirement. It also provides users with a choice. Amongst other principles, privacy by default also requires the developer to ensure the most private settings are set by default. Software designers, familiar with ePrivacy requirements, are able to notify the marketing team that silent opt-ins is illegal in the EU. This allows the organization to engage in discussions as to whether to design for compliance or to accept the risk. In accepting the risk, an organisation increasing user distrust for the benefit of tracking, profiling and advertising KPIs.

As digitization continues, there is a pervasive use of selling user data or mishandling personal information in the tech field. This trend occurs without much regard to the significance of this action. This has become regretfully normalized even though it is against the GDPR. This is likely due partially to many companies solely operating within the US. At the moment, the US does not have a federal governing law similar to the GDPR. Regardless, this precedent is pervasive.

People should have the right to use and access the internet and software related tools/services without being seen as a commodity. Through the use of tracking elements and abuse of consumer metrics, individuals are becoming commodified and sold as such. This should not be the case where individuals can be so easily manipulated and tracked through their actions online. When software developers prioritize GDPR compliance, they are able to help prevent the commodification of individuals by their company. 

GDPR compliance in software development as an intellectual challenge

It is easy to do things in a non secure manner. It would be easier to access one’s phone to text people if one didn’t have a password, but most individuals likely have a password on their phone to protect from strangers accessing the content on their device. Therefore, the easiest solution is not always the best solution. This stems from the common dilemma of convenience versus privacy that one is confronted with daily. Instead of seeing this as an issue, one should frame it a challenge. If one views compliance as an intellectual challenge of how to protect others, the issue becomes more intriguing and fun to solve. An issue bears the connotation of an obligation or nuisance. 

Individuals are motivated to do things either intrinsically or extrinsically. When a supervisor informs a developer that they must make the system compliant with the GDPR, that would be the definition of an extrinsic motivator as it is external; however, intrinsic motivation is a powerful and compelling motivator. Due to intrinsic motivation, this is part of the reason as to why computer games are fun to learn.

An intellectual challenge has a better and more enthralling connotation. This idea has been theorized since the 1950s and academics have postulated through research that intrinsic motivation is correlated with how challenging the activity is. Considering those who have a background in computer science are confronted with technical issues and problems to solve all the time, compliance is best viewed as an intellectual challenge to avoid the easiest solution but create the most secure solution. 

Concluding thoughts 

Compliance is the law. As a software developer, one will likely need to work to implement or maintain compliance with the GDPR. It is easy to see it as a tedious endeavor handed down to a higher up, who might not necessarily understand the ramifications of the technical assignment they are bestowing. Instead, one should view the GDPR through an intrinsically motivated lens as an intellectual challenge to protect the rights of individuals. There are other reasons as to why as a software developer one should care about the GDPR. This includes but is not limited to securing contracts and helping others with less knowledge of proper internet privacy practices.

The joy of the internet and technology should be able to benefit and be enjoyed by all individuals. Any individual regardless of their technical background and without the fear of loss of rights. The question should not be: “does one engage with technology and in doing so give up their right to privacy?” but rather the burden should fall less on the technically ignorant users and be built into technology inherently. 

If you are interested in taking your GDPR knowledge to the next level, dive into TechGDPR’s specialized training for developers. This course is designed to equip you with the skills and understanding needed to navigate GDPR compliance within your projects. It will help you ensure your software is up to standard and gain a competitive edge. Discover more and enroll today at GDPR for Developers – Online Course.

The post Why should software developers care about GDPR compliance? appeared first on TechGDPR.

Legal processes

Financial data: The EDPS discussed recommendations to encourage data sharing to extend the range of available financial services and products, while also giving people or organisations control over the processing of their financial data. Individuals and organisations, according to the proposals, would govern access to their financial data using dashboards offered by financial institutions. Individuals would be able to monitor, limit, or authorize access to their information. Users should be supplied with comprehensive, accurate, and unambiguous information about the financial service provider asking for access to their data. It should also disclose the type of product, payment, or service for which an individual’s data will be utilized, as well as the categories of data required.

Digital Services Act: The Digital Services Act took effect for large online operators serving in the EU on 25 August. 19 platforms and search engines with at least 45 million users must comply with stricter rules concerning data collection, privacy, disinformation, dark patterns, online hate speech and more. This includes a ban on targeted advertising of minors based on profiling, and a ban on targeted advertising using special categories of personal data, such as sexual orientation or religion. Online platforms will be required to redesign their systems and prove they have done so to the European Commission, (including publishing the risk assessments). Additionally, vetted researchers can access the data of those services to conduct analyses on systemic risks in the EU. Smaller platforms will be subject to the same regulation beginning in 2024. They will, however, be supervised by national agencies rather than Brussels. 

Cybersecurity and risk assessment in California: The California Privacy Protection Agency, (CPPA), has published its proposed Cybersecurity and Risk Assessment Audit Regulations. According to the CPPA, official regulation processes for cybersecurity audits, data protection risk assessments, and automated decision-making technologies have yet to begin. These versions are intended to promote board deliberations and public participation. They provide standards for service providers and contractors, assisting organisations in meeting audit compliance. The regulations state that every business that processes personal information that potentially poses a serious risk to customers’ security must conduct an audit, (annually). It also describes the components to be evaluated and the measures to be taken, as summarized by digitalpolicyalert.org. 

EU-US Data Privacy Framework: Almost all transmissions of personal data to US-based companies, if they have committed themselves to the certification mechanism, are covered by the EU-US Data Privacy Framework, explains the Bavarian state data protection commissioner  However, for the transfers of personal data collected in the context of an employment relationship, (‘HR data’), the US business must explicitly state it in its certification. Particular attention must also be paid to onward transfers, for example, if the US processor working for the EU data exporter transmits the personal data to a sub-processor in another third country. The US adequacy decision cannot apply in this situation. 

Official guidance

‘Freedom of Information’ and data protection: Guernsey’s data protection commissioner discusses Freedom of Information requests that caused some of the most extraordinary data breaches recently, (eg, when details of thousands of police and civilian personnel employed by the Police Service of Northern Ireland were released in error). Freedom of Information generally refers to the right of citizens to access information held by public authorities. In reality, this information will often include personal data about individuals, whether that is staff, citizens or other individuals that the public authorities are in contact with. The rights of all individuals must be considered before any disclosure. If you are a data controller, you must understand your legal obligations concerning data subjects’ rights and have appropriate policies and procedures to ensure they are dealt with properly.

Biometric data: Meanwhile the UK Commissioner’s Office is currently consulting on draft guidance on biometric data. This guidance explains how data protection law applies to organisations that use or are considering using biometric recognition systems or vendors of these systems. At a glance:

• You must take a data protection by design approach when using biometric data.
• You should do a data protection impact assessment before you use a biometric recognition system. This is because using special category biometric data is likely to result in a high risk.
• Explicit consent is likely to be the only valid condition for processing available to you to process special category biometric data.
• If you can’t identify a valid condition, you must not use special category biometric data.

Employees’ digital monitoring rules: Digital work tools can record large amounts of data about employees, and therefore monitoring of it is heavily restricted, states the Norwegian privacy regulator. In most cases, the employer does not have the right to monitor the employee’s use of work tools, including the use of the Internet, unless the purpose of the monitoring is to manage the company’s computer network to uncover or clarify security breaches, etc. At the same time, it can be difficult for employers to introduce such measures in particular cases, as many regulations control different aspects of the working environment, and may include trade union approval, transparency obligations, data protection implications, and information security.

Privacy by default: This means that products and services are designed to ensure that a person’s privacy is protected from the outset and that they do not need to take any additional steps to protect their data, explains the Latvian data protection regulator. This approach is designed to minimise possible violations in the process of data acquisition and usage, and unauthorized access and risks that could arise if personal data comes into the possession of a third party. This may include minimal necessary data collection, default settings of the user account, (in “private mode”), limited data retention, (followed by automatic anonymisation or deletion of user data if the account is inactive for a certain period), user control tools, (whether to allow the user profile to be found in search engines, etc), clear information notices, (including all third parties with whom the data may be shared), and security measures, (encryption, regular security audits).

Enforcement decisions

UI Path data leak: The Romanian data protection authority has fined learning platform Uipath SRL approx. 70,000 euros for massive data loss. It did not implement adequate technical and organisational measures to ensure that, by default, personal data cannot be accessed, without the intervention of a person(s), including the ability to ensure the ongoing confidentiality and resilience of processing systems and services, as well as a process for regularly testing, assessing and evaluating the effectiveness of implemented measures. This fact led to the unauthorised disclosure and access to personal data, (user name and surname, the unique identifier, e-mail address, the name of the company where the user was employed, the country and details of the level of knowledge obtained within the courses), of about 600,000 users of the Academy Platform, for about 10 days. This violation is likely to bring physical, material or moral harm to the data subjects, such as the loss of control over their data or the loss of data confidentiality. 

Misconfigured cloud storage: The UK Information Commissioner issued a reprimand to a recruitment company: the organisation misconfigured a storage container, with 12,000 records relating to 3,000 workers, to be publicly accessible without any requirement to authenticate.  The personal data consisted of a variety of different data sets, including names, addresses, dates of birth, passports, ID documents and national insurance numbers. The company has since committed to periodically audit the configuration of cloud services as part of a wider security assessment including access rights, appropriate identity and access controls,  event logging and security monitoring. 

Vklass data leak: The Swedish privacy regulator has been reprimanding the learning platform Vklass for not being able to detect abnormal user behaviour in its learning platform and to track what happened in the system. Multiple complainants alleged that an unauthorized person came across personal data about teachers and students from the learning platform. The reports come from municipal committees and private businesses that conduct school and educational activities. The incident probably occurred because a student wrote a script that automatically saved information from the learning platform in its database and the information was then published openly on a website, which is now closed. 

Edmodo and minors’ consent: Meanwhile in the US, the Federal Trade Commission obtained an order against education technology provider Edmodo for collecting personal data from children without obtaining their parent’s consent and using that data for advertising, in violation of the Children’s Online Privacy Protection Act Rule, (COPPA), and for unlawfully outsourcing its COPPA compliance responsibilities to schools. Among many orders, the provider is obliged to identify the account in question and delete or destroy certain data, (from students under 13 years of age), periodically provide compliance reports to the Commission, permanently refrain from collecting more personal information than reasonably necessary for the child to participate in any activity offered on the online platform, etc.

Data security

High-risk systems: For some so-called “critical processing” IT systems, a data breach would create particularly high risks for people. As a result, they require an adequate level of security. To best support the professionals concerned, the French regulator CNIL submits a recommendation for public consultation, (in French). It specifically targets so-called “critical” treatments, defined by the following two cumulative criteria: a) the processing is large-scale within the meaning of the GDPR, and b) a personal data breach could have very significant consequences either for the data subjects, for state security or society as a whole. 

This includes customer databases and other processing that bring together a large part of the population, such as in the energy, transport, banking or large-scale dematerialised public services, health treatments, etc. Risk scenarios may include attacks by organised criminal organisations or “supply chain attacks”, likely to take place over a long period; the compromise of third-party service providers responsible for IT development, maintenance or support operations; the exploitation of unknown vulnerabilities of software or hardware components, the compromise of persons authorised to access the processing. 

Email security guidance: Guidance by the UK Information Commissioner explains what organisations should, and could do to comply with email security, including several case studies and a checklist. Even if email content doesn’t have anything sensitive in it, showing which people receive an email could disclose sensitive or confidential information about them. In brief: 

• You must assess what technical and organisational security measures are appropriate to protect personal information when sending bulk emails.
• You should train staff about security measures when sending bulk communications.
• You should include in your assessment consideration of whether using secure methods, such as bulk email services or mail merge services, is more appropriate, rather than just relying on a process that uses Blind Carbon Copy.
• If you are only sending an email to a small number of recipients, you could consider sending each one separately, rather than one bulk email. 

Big Tech

Open AI for organisations: Open AI offers its most powerful version of ChatGPT to enterprises. It has longer context windows for processing longer inputs, advanced data analysis capabilities, customization options and more. According to the company, 80 per cent of Fortune 500 companies, (largest US corporations), have registered ChatGPT accounts, as determined by accounts associated with corporate email domains. Businesses have expressed concerns about privacy and security, fearing that their data may be used to train ChatGPT and that the application could mistakenly reveal sensitive consumer information to AI models. According to OpenAI, ChatGPT Enterprise users will have complete rights and ownership over their data, which will not be used for algorithm training. 

‘Algorithmic disgorgement’: At the same time, the US Federal Trade Commission reminds companies of certain obligations when using Generative AI. When offering a generative AI product, companies need to inform customers whether and the extent to which AI training data includes copyrighted or otherwise protected material. Companies should not try to “fool people” into thinking that AI-generated works were created by humans. Companies must ensure that customers understand the material terms and conditions associated with digital products. The regulator also noted that unilaterally changing terms or undermining reasonable ownership expectations can be problematic, etc. Finally, in its enforcement of data protection regulations, the Commission has lately begun to compel “algorithmic disgorgement” – the destruction of not just the illegally obtained data itself, but also artificial intelligence models and algorithms constructed using such data.

The post Data protection digest 15 – 31 August 2023: financial data processing, misconducted learning platforms, and algorithmic disgorgement appeared first on TechGDPR.

Legal processes and redress

Court-dismissed fine: A multimillion-euro fine imposed by the Spanish privacy regulator has been overturned by a court decision, according to a publication by Clifford Chance law firm. The AEPD fined Banco Bilbao Vizcaya Argentaria 5 million euros in 2020, the first of many hefty fines for GDPR violations in the country’s corporate sector. In the above case, the AEPD received several complaints about commercial communications. Ultimately, it found that BBVA’s privacy policy, which was applicable to all of its clients and to processing other than the sending of marketing communications, violated the duty of information, and occasionally misused consent and legitimate interest as the basis for processing. However, the decision and fine with regard to BBVA’s privacy and the initial complaints were completely at odds, and the court found that the AEPD had broken the sanctioning procedural rules. 

EU Health Data Space: EU legislators are actively working on safeguards for the upcoming European Health Data Space. This includes promoting patients’ understanding and control of their personal health data. The latest amendments look at the main characteristics of electronic health data categories: patient summary, electronic prescription, electronic dispensation, medical image and image report, laboratory result, and discharge report. Under the Commission’s proposal, researchers, companies, and institutions will require a permit from a health data access body, to be set up in all member states. Access will only be granted to use de-identified data for approved research projects, which will be carried out in closed, secure environments, Sciencebusiness.com publication sums up. 

Iowa privacy legislation: Iowa enacted its new comprehensive privacy law, making it the sixth US state to do so after California, Virginia, Colorado, Utah, and Connecticut. It will take effect in 2025. Anyone conducting business in Iowa or creating goods or services marketed toward Iowans who does one of the following is subject to the law: processes at least 100,000 consumers’ personal data; processes 25,000 consumers’ personal data, and more than 50% of gross revenue is generated from the sale of it. The law does not apply to financial institutions, nonprofit organizations, institutions of higher education, information bearing consumers’ creditworthiness, various research data, protected health information, and more.

Utah minors protection: Utah enacted two laws to limit children’s access to social media, making it the first US state to demand parental consent before children can use Instagram and TikTok. It also makes suing social media companies for damages simpler. To date, US lawmakers have had difficulty enacting stricter federal laws governing online child safety. Under Section 230 of the US Communications Decency Act, media service providers are largely shielded from liability for the content they provide. 

Online service providers are also not required by federal statutes to use a particular method of age verification. Because of this, some have minimum age restrictions and ask users to enter their birthdate or age before granting access to the content. These restrictions are typically stated in the terms of service. According to Utah legislation, all users must submit age verification before creating a social media account. Minors under the age of 18 must have parental or guardian consent. 

Official guidance

AI white paper: Principles, including safety, transparency, fairness, contestability, and redress will guide the use of AI in the UK, as part of a new pro-innovation national blueprint. Reportedly, Britain has more businesses offering AI goods and services than any other European nation, and hundreds more are being founded annually. Regulators pledge to provide organisations with advice over the coming year, as well as other resources like risk assessment templates. Currently, there is no deadline envisaged in the UK for passing AI legislation. Meanwhile, the EU AI act, which inherited a more risk-based approach and is being discussed by parliamentarians, can be reasonably expected this year. 

Data protection by default: UK privacy regulator the ICO published resources to help UX designers, product managers, and software engineers embed privacy by default. The guidance looks at key privacy considerations for each stage of product design, from kick-off to post-launch when designing websites, apps, or other technology products and services. The ICO has also published videos with experts, technologists, and designers. 

Employment guide: The Danish data protection authority’s guidance on data protection in employment relationships has been revised, (in Danish only). The update includes the acquisition of criminal records and references. The regulator also clarified an employer’s obligation to disclose information, trade union processing activities, workers monitoring needs, the use of IQ and personality tests, and more. In parallel, the Lithuanian regulator is preparing similar guidance for employees, business, and public sector, (in Lithuanian only). 

Joint controllers: What is the difference between joint and independent data controllers? Joint controllers are established when the entities involved in processing perform it for the same or common purposes. Joint management can be established even when the entities pursue purposes that are only closely related or complementary, explains the Slovenian data protection authority. Purposes and means of processing are not always the same for all joint controllers but must be mutually determined via an agreement. They can also be defined by law. Subsequently, joint controllers are jointly and severally liable for damages. 

Suspected data breach: Pursuant to the GDPR, in the event of a personal data breach that is likely to cause a high risk to the rights and freedoms of individuals, the data controller must notify the data subject without undue delay. However, notification is not mandatory if any of the conditions stipulated in Art. 34 (3) of the GDPR are met. Regardless of the above, in case of a suspected breach, (eg, unauthorised disclosure of a large amount of personal data), you have the right to request information from the data controller, (if they processed your data), as to whether your personal data is included in the incident, concludes the Croatian data protection agency.

Enforcement decisions

ChatGPT ban: The Italian supervisory authority Garante has clamped down on ChatGPT. The limitation of the processing of Italian users’ data by OpenAI, the US company that developed and manages the platform, is temporary until it establishes privacy procedures. ChatGPT suffered a data breach on March 20 concerning user conversations and payment information for subscribers to the paid service. Garante noted the lack of information to users and all interested parties whose data is collected by OpenAI, but above all the absence of a legal basis that justified the collection and storage of personal data in order to train the algorithms. 

Additionally, as evidenced by the checks carried out, the information provided by ChatGPT does not always correspond to the real data, thus establishing inaccurate processing of personal data. Finally, the service is aimed at people over 13 but does not use any filter for verifying the age of users and exposes minors to answers that are absolutely inappropriate with respect to their degree of development and self-awareness. OpenAI, which does not have an office in the EU but has appointed a representative in the European Economic Area, must communicate within 20 days on the measures taken.

Wrongful copy: The Greek data protection authority looked into a complaint from a Vodafone subscriber who received a CD containing the conversations of another person  after requesting access to the recorded conversations with the Vodafone call center. Although Vodafone was immediately notified by the complainant, it did not take any investigative steps to confirm the incident, but initially contented itself with the processor’s response that it did not locate the complainant on the phone. It subsequently contacted her to return the CD. Vodafone was ordered to send the correct file and was fined 40,000 euros (Art. 15 and Art. 33 of the GDPR).

Email correspondence: Employees’ right to privacy is unaffected by a legitimate interest in processing personal data for legal defense. The Italian privacy authority fined a company that continued to use an employee’s email account after they had left the firm, viewing the content, and setting up forwarding to a company employee. The former collaborator had gathered references from potential clients they had met at a fair. The company claimed that a legal dispute resulted from the collaborator’s attempt to get in touch with them. Fearing losing relationships with potential customers, the company had not only written to them to explain that the person had been removed, but had also viewed the communications.  

GPS monitoring: Tehnoplus Industry in Romania was fined for a GPS system installed on a company car, without the employee having been informed, or having previously exhausted other less intrusive methods to achieve the purpose of processing – monitoring the service vehicle. Tehnoplus Industry excessively processed the location data related to the complainant even outside working hours. Subsequently, the purpose and the legal basis of this processing and in addition the excessive storage period of the data collected, (over the established 30 days limit); were also unlawful.  

In parallel, the French privacy regulator imposed a fine on Cityscoot for geolocating customers almost permanently in breach of the data minimisation principle. During the rental of a scooter by an individual, the company collected data relating to the geolocation of the vehicle every 30 seconds. In addition, the company kept the history of these trips. None of the established purposes of the processing, (the treatment of traffic offenses, handling customer complaints, user support, and theft management), could justify the monitoring and could have been organised without constant tracking.  

Data security

Cybersecurity tools: The French regulator CNIL has updated its guidance on the security of data protection, (in French). It supports professional actors processing personal data by recalling the basic precautions to be implemented. 17 fact sheets look at the latest recommendations on authenticating users, tracing operations and managing incidents, securing the workplace, guiding IT development, securing exchanges with other organizations, encryption, and much more. 

The European Union Agency for Cybersecurity also releases a tool to help small and medium-sized enterprises assess the level of their cybersecurity maturity. This tool contributes to the implementation of the updated Network and Information Security, (NIS2), Directive. The majority of SMEs are excluded from the scope of the Directive due to their size and this work provides easily accessible guidance and assistance for their specific needs.

Similarly, the UK National Cyber Security Centre launches two new services to help small organisations stay safe online:

• The Cyber Action Plan can be completed online in under 5 minutes and results in tailored advice for businesses on how they can improve their cyber security.
• Check your Cyber Security – which is accessible via the Action Plan – can be used by any small organisation including schools and charities and enables non-tech users to identify and fix cyber security issues within their businesses.

Mobile threat defense: America’s NIST investigates mobile threat defense applications that provide real-time information about a device’s risk level. Like any other app, MTD is installed on a device by a user. The app then finds undesirable activity and alerts users so they can stop or minimize the harm. For instance, it alerts users when it’s time to update their operating systems. Additionally, users of the app can receive alerts when someone is listening in on their internet connection. However, without being integrated with a mobile device management system, MTD applications are only marginally effective in your enterprise environment.  

Big Tech

Child Care apps: In the US childcare facilities are using technology more and more reports edsurge.com which tells the story of a parent who signed her child up for child care. She wasn’t expecting to have to download an app to participate, and when that app began to send her photos of her child, she had some additional questions. Laws like the Family Educational Rights and Privacy Act and the Children’s Online Privacy Protection Act don’t apply in these circumstances, so parents will need to conduct some independent research. The other aspect is that cameras have the potential to make teachers and other classroom employees anxious or otherwise not themselves, she says. They may feel that administrators or parents don’t trust them and make them avoid some activities like dancing. 

You are (not) hired: Reportedly, a third of Australian companies rely on artificial intelligence to help them hire the right person, while there are no laws specifically governing AI recruitment tools. Applicants are often unaware that they will be subjected to an automated process, or if not, on what basis they will be assessed. For instance, AI might say you don’t have good communication skills if you don’t use standard English grammar, or you might have different cultural traits that the system might not recognise because it was trained on native speakers. Another concern is how physical disability is accounted for in something like a chat or video interview. Read more analysis by the Guardian in the original publication. 

Vehicle data: Because data ownership remains undefined under EU law the Commission’s proposed Data Act for fair access to such information, particularly in the vehicles sector, appears to have hit problems. Legislative proposals were expected to regulate a connected car sector estimated to be worth more than 400 billion euros by the end of the decade. Now car services groups warn very few big players are able to access this data, skewing the market, Reuters reports.

The post Data protection & privacy digest 19 Mar – 2 Apr 2023: court-dismissed fine, cybersecurity tools, ChatGPT clampdown appeared first on TechGDPR.

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

Essentially, data controllers need to consider data protection throughout the core of their organisational activities. As such, those who work to create technologies involved in data processing must consider the implications of their software in the context of the GDPR. While Data Protection by Design and Data Protection by Default are separate concepts, they are complementary. Implementing Data Protection by Design makes achieving Data Protection by Default much easier, with the reverse being true as well.

Building privacy into the heart of data processing operations and systems is part of Privacy by Design, while ensuring that the data subject’s rights are protected as a matter of standard operations is part of Privacy by Default. These concepts have been in existence since long before the GDPR came into fruition, but under the GDPR became important requirements. 

Achieving Privacy by Design and Privacy by Default is not a simple process when one’s main focus is developing and delivering products. As such, familiarity is of the essence. 

What are the most important considerations involved with these concepts, and how may data processors implement them? 

What is Privacy by Design? 

The concept of Privacy by Design was created by Ann Cavoukian in the 1990s and presented in her 2009 “Privacy by Design: The Definitive Workshop.” As Cavoukian stated, the concept of privacy by design encompasses more than just technology. Rather, Privacy by Design dictates that privacy is taken into account throughout the design process and operations of broader organisations and systems. There are seven foundational principles which constitute the basis of Privacy by Design:

1. Measures are proactive rather than reactive. They anticipate risks and try to prevent them from occurring, rather than allowing for invasions of privacy and minimising them after the fact. These measures are woven into the culture of an organisation. 
2.  Privacy is protected by default. Personal data is protected without requiring the data subject to act. In practice, the most intrusive privacy features of an app, such as geolocation tracking when that is not called for by the user, are turned off when the product is first installed or better yet, every time the app is launched.
3. Privacy is embedded into the design of systems and organisations. It is not an afterthought, but an essential part of a system’s functionality.  Designing for privacy can be quite costly so planning for it rather than redesigning to accommodate it, is a wise cost management strategy.
4. Privacy is not implemented to the detriment of other interests, but rather to accommodate all legitimate interests with full functionality. 
5. Privacy is extended throughout the lifecycle of all the data collected.  
6. Data processing activities are visible and transparent. The business practices and technologies involved are clear to both users and providers.  
7. Measures for privacy are user-centric: the interests of data subjects are at the forefront of operations. 

Cavoukian stresses that ensuring privacy does not come at the cost of other critical interests, but rather ought to complement other organisational goals. 

But how does a team implement these foundational principles into their technological design?

Methods of Implementing and Measuring Data Protection by Design for Technology Developers

The European Data Protection Board adopted guidelines for Data Protection by Design and by Default on 20 October 2020. These guidelines clarify how to implement the requirements of Article 25 in organisations that process personal data. 

Certain concepts, such as pseudonymisation, noise addition, substitution, K-anonymity, L-Diversity, T-closeness, and differential privacy, can help increase the privacy of an individual data subject, or give key information about the privacy of a data set. As a result, individuals working to achieve Privacy by Design should think about these methods as tools they can use, though not as absolute methods in and of themselves. 

• Pseudonymisation replaces direct identifiers, such as names, with codes or numbers, which allows data to be linked to an individual without the individual themself being identified. This data is still within the scope of the GDPR. Truly anonymous data is not considered personal data, and thus its processing does not fall under the scope of the GDPR. However, anonymous data, that is, data which cannot be linked back to a data subject, is different from pseudo-anonymous data in that pseudo-anonymous data has the potential to be re-linked to a data subject, even if in a difficult or indirect way. Thus, pseudo-anonymous data is still subject to the requirements of the GDPR. 
• Noise addition is often used in conjunction with other anonymisation techniques. In this technique, attributes which are both confidential and quantitative are added to or multiplied by a randomised number. The addition of noise still allows for the singling out of an individual’s data, even if the individual themself is not identifiable. It also allows for the records of one individual to be linked, even if the records are less reliable. This linkage can potentially link an individual to an artificially added piece of information. 
• Substitution functions as another method of pseudonymisation. This is where a piece of data is substituted with a different value. Like the addition of noise, substitution ought to be used in conjunction with other data protection measure in order to ensure the data subjects’ rights are protected. 

Means of measuring the privacy of data 

• K-anonymity, a type of aggregation, is a concept that is based around combining datasets with similar attributes such that the identifying information about an individual is obscured. This helps to determine the degree of anonymity of a data set. Essentially, individual information is lumped in with a larger group, thereby hiding the identity of the individual. For example, an individual age could be replaced with an age range, which is called generalisation. By replacing specificity with generality, identifying information is harder to obtain. Suppression is another method of achieving better k-anonymity. This is where a certain category of data is removed from the data set entirely. This is best-suited in cases where the data in that category would be irrelevant in regards to the purpose of the data processing. It is important to note, however, that k-anonymity itself does not guarantee that sensitive data will be protected. 
• L-diversity is an extension of k-anonymity. It provides a way of measuring the diversity of sensitive values in a dataset. Essentially, l-diversity requires each of the values of sensitive attributes within each group to be well-represented. In doing so, l-diversity helps to guarantee that a data set will be better protected against re-identification attacks. This is a helpful consideration in cases where it is possible for attributes in k-anonymised data sets to be linked back to an individual.
• T-closeness expands on l-diversity and is a strategy of anonymisation by generalisation. T-closeness creates equivalent classes which are similar to the initial distribution of attributes in a data set and is beneficial in situations where a data set must be kept as close as possible to its original form. Like k-anonymity and l-diversity, t-closeness helps to ensure that an individual cannot be singled out in a database. Additionally, these three methods still allow for linkability. What l-diversity and t-closeness do which k-anonymity cannot, is provide the guarantee that inference attacks against the data set will not have 100% confidence. 
• Differential privacy aims to ensure the privacy rights of an individual data subject are protected by ensuring the information someone obtains from the output of data analysis is the same with or without the presence of the data of an individual. This allows for data processing without an individual’s information being singled out or the individual being identified. Differential privacy provides privacy through a specific type of randomisation. The data controller adds noise to the data set, with differential privacy revealing how much noise to add. 

Privacy Design Strategies

Researchers have identified eight privacy design strategies, divided into two groups: data-oriented strategies and process-oriented strategies. Data-oriented strategies include: minimise, hide, separate, and abstract. These strategies focus on how to process data in a privacy-friendly manner. Process-oriented strategies include: inform, control, enforce, and demonstrate. These strategies focus on how an organisation can responsibly manage personal data. Article 5 of the GDPR identifies the basic principles to follow when processing personal data: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality. These principles help guide the strategies, which can be exemplified by the concepts and methods of pseudonymisation, noise addition, substitution, k-anonymity, l-diversity, t-closeness, and differential privacy. These methods and processes of measuring privacy should stand as part of larger efforts to work to implement data protection into the fabric of data processing operations. 

How can technology developers learn more about Privacy by Design and Default?

Data Protection by Design and Data Protection by Default are fundamental concepts to adhere to under the GDPR. Teams which keep these concepts in mind at every level of their organisations will keep the rights of data subjects at the forefront of their operations, and thus go further in working towards GDPR compliance. Technology developers have a special role in making sure that their products have the capacity to be used in a GDPR compliant manner, and thus should have extensive familiarity with these concepts. Those interested in learning more about GDPR compliance, from the perspective of what a technology developer should consider, can participate in TechGDPR’s Privacy & GDPR Compliance Course for Developers. This course delves into what individuals working in technology development need to know about data protection so they can better understand their own duties and responsibilities under the requirements of the GDPR. 

The post Privacy by Design for Technology Development Teams appeared first on TechGDPR.