Assessing Privacy by Design

 Assessing Privacy by Design

Organizations designing and maturing their data privacy/protection programs undoubtedly encounter Privacy by Design ("PbD"), a critical element in this journey.   Understanding the components of PbD and how major legal and certification frameworks assess it will not only aid in its implementation, but it also helps smoothly achieve conformity with them. 

Most certification and governance schemes (such as ISO/IEC 27701, SOC 2, and the EU’s General Data Protection Regulation, or “GDPR”) incorporate PbD as a key component of their review of any system handling personal data.   But how do these schemes really assess PbD?  And which would best suit your organization? 

Elements of Privacy by Design 

Dr. Ann Cavoukian developed the PbD framework, eventually formalizing it in her 2009 paper, “Privacy by Design: The 7 Foundational Principles.”   These seven principles aren’t limited to technical measures; they encompass IT (software, data-processing, business apps, etc.), business practices, and network infrastructure (e.g., physical and logical network architecture, etc.).  They include (paraphrased): 

• Be proactive and preventative
• Make privacy the default setting
• Embed privacy within the design (not as an afterthought)
• Make privacy positive sum, not a tradeoff
• Ensure full-lifecycle data security
• Provide visibility and transparency
• Respect user-centricity 

PbD’s goal is to “shift privacy left,” moving it earlier in the development cycle, instead of patching privacy components on at the end.   

PbD has been incorporated as a control/requirement in many frameworks.  As Coalfire partners with organizations to assess and audit conformance with these standards, understanding the evaluation of PbD helps ensure compliant and effective implementation of PbD principles, and ultimately a stronger privacy program.  Here, we take a high-level review of some of the most common: the GDPR, SOC 2, and ISO/IEC 27701 (as an extension of 27001).

The GDPR & Privacy by Design 

As a legal framework, the GDPR goes further in really assessing PbD than any other framework discussed here.  It considers PbD both at the architectural layer (during system/process design) and at the operational layer (during the actual data processing). 

For example, at the architectural layer, the GDPR requires a determination of both technical and organizational data-protection measures at the time the means of processing are being considered.  In other words, these protective measures must be included in the planning and design stages (meeting Cavoukian’s proactive and embedding principles).  This may include omitting personal-data columns in a schema not needed by the particular processing or setting system-enforced data retention limits as the default. 

The GDPR addresses PbD on the operational layer, through the full data lifecycle (from collection through deletion), by ensuring accurate records of processing are maintained, security measures are in place, and processing transparency is timely and accurate (meeting Cavoukian’s full-lifecycle data security, transparency, and respect for user-centricity principles). 

Along these lines, when assessing conformity with the GDPR, there are at least three items for which Coalfire seeks evidence: 

1. Policies & procedures directing those involved in the design, development, and implementation of processing (from marketing to app development) to consider organizational and technical safeguards to protect the rights and freedoms of data subjects;
2. Planning materials, design specifications, and implemented measures which minimize processing, including the volumes and types of data, extent of processing, and retention; and
3. Organizational and technical measures that limit access to personal data to the minimum necessary number of persons (essentially following the principle of least privilege). 

Outside of IT/network PbD requirements, the GDPR requires data protection impact assessments (“DPIAs”) when processing presents a high risk to the rights and freedoms of data subjects. The assessment requires an analysis of safeguards in place (i.e., design choices) to reduce the risk.  The absence of a DPIA with the required analyses in light of such processing would be a significant gap in a GDPR conformity assessment.

It should be noted, however, that while GDPR conformity assessments generally reflect a contextual, risk-based approach that encompasses well-respected privacy principles, it is specific to the that legal/regulatory requirement (e.g., compliance with EU law). 

SOC 2 & Privacy by Design

SOC 2 is one of the most common cybersecurity certification assessments.  Assessments may vary, depending upon which Trust Services Categories (“TSC”) are included (beyond the mandatory Security TSC).  Scoping decisions also determine which specific environments, applications or business units are included. 

The Security TSC touches upon the PbD principle of full-lifecycle security.  To more fully assess PbD, organizations may opt to include the Privacy TSC, which goes into significantly more depth. 

When the Privacy TSC is in scope, controls still focus predominantly on the operational layer, more on data management than design (such as personal-data collection, use, retention, and security controls).  SOC 2 does not overtly address the “design” component of PbD from a technical / architectural point of view, though the requirement of implementing privacy data-management controls arguably constitutes “system design” to some degree.  

Accordingly, assessing SOC 2 privacy controls includes review of policies requiring and defining these controls, as well as review of artifacts, logs, and other evidence reflecting both the implementation and effectiveness of these process-based controls. 

Organizations already committed to achieving SOC 2 certification and which would find value in adding the Privacy Certification include those who process personal data, primarily B2B (and less consumer-facing), especially in the healthcare and financial sectors. 

ISO/IEC 27701 & Privacy by Design

In terms of an actual control framework, few others address PbD to the extent of ISO/IEC 27701. Designed as an extension of ISO/IEC 27001, ISO/IEC 27701 adds a Privacy Information Management System (“PIMS”) component to 27001’s Information Security Management System (“ISMS”).  While it was explicitly designed to support GDPR compliance, GDPR focuses on compliance with that regulation, while 27701 is a more broadly applicable risk-management framework. 

Those familiar with 27001 will find familiarity in the structure and form of 27701.  In fact, several controls from 27001 carry over with privacy-specific enhancements (e.g., a 27001 asset inventory is enhanced to now identify personal data within that inventory).  Then, 27701 includes several of its own privacy-specific control groups. Similar to the GDPR, the ISO/IEC standard acknowledges different responsibilities for controllers and processors. 

PbD is a significant consideration in 27701.  Control A.8.2.5 requires privacy be considered and integrated into system design. Other controls require policies and practices that embed privacy into the design and operation of the product or service.  Certain controls require privacy to be the default setting, while others require risk assessments at the design and planning stages. 

Similar to a SOC 2 audit, Coalfire assesses these controls first through review of the relevant policies and procedures addressing substance of these controls, and then testing evidence for actual compliance with them. 

As noted, these standards align to the GDPR, but there are significant differences.  First, 27701 requires evidence of the PIMS itself (including policies, roles, and responsibilities), which is not a concept included in the GDPR.  Also, like similar ISO/IEC frameworks, assessing 27701 requires evidence of continuous improvement and maturity, while GDPR focuses more on binary, point-in-time compliance.  Finally, similar to SOC 2, the scope of a 27701 PIMS must be clearly defined; it may be organization-wide or may be narrowed to address particular processes, products, or business units. 

Whether to pursue 27701 certification would primarily begin with whether the organization already has or is pursuing a 27001 certification, of which 27701 is a logical extension.  Then, organizations operating across multiple jurisdictions and privacy regimes (such as GDPR, US sectoral/state legislation, and in Oceania and Asia) might benefit from an international, auditable framework like 27701 (adding a GDPR assessment would be a relatively light lift).  It also assists in maturing and scaling the PIMS (including PbD), and in building continuous improvement into your privacy program, aligning well with Cavoukian’s Proactive and Preventative PbD principle. 

* * *

Privacy by Design isn’t just a “best practice”; it is a fundamental requirement across many different privacy frameworks.  Effective PbD begins with embedding privacy controls early; these frameworks merely review how well they were implemented.  Coalfire’s data-privacy experts partner with organizations at all stages of their privacy journeys, from assisting with assessment and implementation of PbD principles, to finding the framework which best demonstrates your PbD in a meaningful and efficient way.  From initial design to formal assessments, we ensure your privacy investments deliver confident compliance and a trustworthy, mature privacy program.