Putting Data Protection by Design (DPbD) into practice

A proactive attitude towards securing personal data is enforced by the regulation, recommending implementing state of the art security tools and techniques. In recent years, a plethora of Privacy-Enhancing Technologies (PETs) have been created to foster data protection and respond to privacy concerns, and the systematization of such knowledge has been tackled by several reviews, handbooks and surveys. Yet, many organizations still consider security controls as a post-development activity and most Privacy-Enhancing Technologies remain unknown for most engineers. Unless clear and tangible guidance is provided to organizations, there is a significant risk in making PETs and DPbD useless.

Coordination with third parties

In order to survive in the market, nowadays organizations collaborate in complex, large ecosystems. Hence, it is expected that data controllers will spend extra time to coordinate with processors and third parties. As an example from a data management perspective, controllers must have mechanisms to comply with data subject’s rights on their own infrastructures, but they must also coordinate with processors for making the necessary changes on their side. Changes in a data record might require triggering specific processes for each processor that might happen to have a copy of such record. As the number of third parties grow, a systematic, automated mechanism to tackle all these issues will be required by the controller.

Identification of personal data

Under the GDPR, data subjects have the right to ask controllers to remove, amend or provide access to all their personal data. This poses a challenge as finding all this information requires detailed descriptions of the data processing system and effective governance mechanisms across different systems, including backups, data transferred to third parties and information (internally) shared by organization’s employees. A significant number of organizations have decided to establish a manual process to find all this information, expecting that the number of data subjects’ requests is going to be low. Yet, reports indicate that a significant number of EU citizens are willing to make use of these rights.

Compliance costs

There is a general belief that the GDPR will significantly increase operating expenses or have a negative impact on the companies’ revenue. In combination with a lack of clear guidance on GDPR compliance, organizations have to allocate large budgets to the risk of non-compliace, reducing their capacity to couple with other business ventures.