Privacy by Design: the challenges of cybercrime applied to your projects
Posted: Tue Dec 10, 2024 4:41 am
Setting up a system to ensure the protection and confidentiality of the personal data of users of your site or platform is good and is now a legal obligation . Including the construction of this system in the creation of your digital service from the beginning and thus gaining in efficiency later on is even better! This is what the concept of Privacy by Design proposes .
In this article, we take stock of the basics of this approach recommended by data security specialists. Find out what its principle is, how to implement it and what its impacts are?
Privacy by Design: Cybercrime Issues Applied to Your Projects. In the photo, we see a laptop keyboard and a large lock showing that access is secure.
Privacy by Design: what are we talking about?
Privacy by Design is a methodology designed to enable companies to optimally meet the requirements of the General Data Protection Regulation (GDPR) on the protection of privacy.
Its relatively simple principle involves creating the structures of the bases intended to receive and store user data , but also the processing processes from the start of the design of the web project, whatever its nature: website, SaaS, platform, application and any other product requiring the handling of personal data .
GDPR: All the best practices to comply
Download the e-book
How to implement Privacy by Design?
Let's remember that Privacy by Design is a principle and not a technical approach to follow. It therefore does not propose any specific process or tool. To implement it, companies must first adopt preventive measures , in order to limit as much as possible the data protection problems generated by a system that was not built for this.
First, it is important to respect the principle of Privacy by Default , which requires companies to apply the highest privacy settings to users by default. If users wish to lower them, they can, but under no circumstances should they be forced to take steps to strengthen the protection of their data .
This principle must be maintained throughout the 99 acres database period of use and particular attention must be paid to updates: the configuration of the confidentiality parameters chosen by the user must imperatively remain the same.
Then, throughout the creation of the web project , here are some elements to take into account in order to respect the concept of Privacy by Design.
What data to collect and store?
What personal data is actually useful for using your online service? Assume that the less data you have to process, the easier it will be for you to respect users' privacy .
For example, is it necessary to know the identity of your customers ? A pseudonym will do most of the time. Same for date of birth and contact details. If a location is required, a zip code may suffice, so there is no need to ask for the exact address. Think about what you really need to make the application work and stick with that.
In general, avoid passive collection of information and only keep that which is essential to the use of your platform.
Storing and erasing personal data
All so-called personal data (name, first name, email address, date of birth, login, etc.) that could attract the interest of cybercriminals practicing identity theft must be encrypted.
Similarly, user passwords cannot be stored as is. It is imperative to provide a hashing system to secure it. In the event of data theft, this measure makes the password indecipherable and therefore unusable by hackers.
The recorded data should not be stored ad vitam aeternam. After a certain period of inactivity or after uninstallation , it is recommended to create a system to automatically delete them, after notifying the user. They must also be able to easily delete them , whenever they wish. A form or instructions for doing this must therefore be made available to them.
How to manage data sharing between users?
Some platforms allow information to be shared with other members of the community, such as social networks or review sites for example. Their operation must include fine-tuning of sharing parameters and these must always be set by default to prohibiting the sharing of data. It is up to the user to deliberately choose what type of information they want to share and with what category of people.
Data and consent
To carry out certain operations, you will need to set up a procedure for requesting authorization from the user. This is the case for data transfers to a third party : to enable them to make an informed decision, you must explain to them which organization the information will be transmitted and for what purpose.
The same applies to the cross-referencing of information with external sources. In addition, if this operation results in the classification of the user's profile, followed by specific and automatic decisions concerning him, you must inform him and obtain his consent. Be aware that he has the right at any time to contest the choices made.
Using PETS or Privacy Enhancing Technologies
Finally, consider including PETS in your platform from the design stage. These tools integrate directly into your online services and allow users to control their data at all levels of use: anonymization, sharing management, deletion of unnecessary data, etc.
In this article, we take stock of the basics of this approach recommended by data security specialists. Find out what its principle is, how to implement it and what its impacts are?
Privacy by Design: Cybercrime Issues Applied to Your Projects. In the photo, we see a laptop keyboard and a large lock showing that access is secure.
Privacy by Design: what are we talking about?
Privacy by Design is a methodology designed to enable companies to optimally meet the requirements of the General Data Protection Regulation (GDPR) on the protection of privacy.
Its relatively simple principle involves creating the structures of the bases intended to receive and store user data , but also the processing processes from the start of the design of the web project, whatever its nature: website, SaaS, platform, application and any other product requiring the handling of personal data .
GDPR: All the best practices to comply
Download the e-book
How to implement Privacy by Design?
Let's remember that Privacy by Design is a principle and not a technical approach to follow. It therefore does not propose any specific process or tool. To implement it, companies must first adopt preventive measures , in order to limit as much as possible the data protection problems generated by a system that was not built for this.
First, it is important to respect the principle of Privacy by Default , which requires companies to apply the highest privacy settings to users by default. If users wish to lower them, they can, but under no circumstances should they be forced to take steps to strengthen the protection of their data .
This principle must be maintained throughout the 99 acres database period of use and particular attention must be paid to updates: the configuration of the confidentiality parameters chosen by the user must imperatively remain the same.
Then, throughout the creation of the web project , here are some elements to take into account in order to respect the concept of Privacy by Design.
What data to collect and store?
What personal data is actually useful for using your online service? Assume that the less data you have to process, the easier it will be for you to respect users' privacy .
For example, is it necessary to know the identity of your customers ? A pseudonym will do most of the time. Same for date of birth and contact details. If a location is required, a zip code may suffice, so there is no need to ask for the exact address. Think about what you really need to make the application work and stick with that.
In general, avoid passive collection of information and only keep that which is essential to the use of your platform.
Storing and erasing personal data
All so-called personal data (name, first name, email address, date of birth, login, etc.) that could attract the interest of cybercriminals practicing identity theft must be encrypted.
Similarly, user passwords cannot be stored as is. It is imperative to provide a hashing system to secure it. In the event of data theft, this measure makes the password indecipherable and therefore unusable by hackers.
The recorded data should not be stored ad vitam aeternam. After a certain period of inactivity or after uninstallation , it is recommended to create a system to automatically delete them, after notifying the user. They must also be able to easily delete them , whenever they wish. A form or instructions for doing this must therefore be made available to them.
How to manage data sharing between users?
Some platforms allow information to be shared with other members of the community, such as social networks or review sites for example. Their operation must include fine-tuning of sharing parameters and these must always be set by default to prohibiting the sharing of data. It is up to the user to deliberately choose what type of information they want to share and with what category of people.
Data and consent
To carry out certain operations, you will need to set up a procedure for requesting authorization from the user. This is the case for data transfers to a third party : to enable them to make an informed decision, you must explain to them which organization the information will be transmitted and for what purpose.
The same applies to the cross-referencing of information with external sources. In addition, if this operation results in the classification of the user's profile, followed by specific and automatic decisions concerning him, you must inform him and obtain his consent. Be aware that he has the right at any time to contest the choices made.
Using PETS or Privacy Enhancing Technologies
Finally, consider including PETS in your platform from the design stage. These tools integrate directly into your online services and allow users to control their data at all levels of use: anonymization, sharing management, deletion of unnecessary data, etc.