In connection with the development of products and services, it is of great importance for trust in the company that the company applies principles of privacy & security by design & default (PbD & SbD). The goal is to create secure products and services and protect users’ privacy and personal information in the best possible manner.
6.1 Assessment
To work with Privacy & Security by Design, the company has to make an initial assessment of the risks and needs that need to be considered. When the company has established this, it has to choose the Privacy by Design strategy or strategies (6.2.1 – 6.2.3) that can be usefully applied and the level of security to be incorporated into the design of the solution.
6.1.1 Risk assessment
6.1.2 Assess the level of privacy and security
6.2 Privacy by design & default
Privacy by Design (PbD) means that the company thinks about and builds data protection and privacy safeguards into products and services from the earliest stages of development and throughout their lifecycle.
Source: ENISA
Embedding personal data protection into its activities will allow the company to work proactively on the risks associated with its processing of personal data, rather than simply reacting when an event actually occurs.
Source: White Paper on Data Ethics
The aim is to ensure that the company’s products and services protect users’ privacy and personal data from the moment they are deployed.
6.2.1 Minimise and limit
6.2.2 Separate and hide
6.2.3 Aggregate
6.2.4 Privacy by default (in-built protection of personal data)
6.2.5 Full functionality and protection of personal data
6.3 Security by design & default
The basic principle behind Security by Design (SbD) is that security should be considered and built into products and services from the earliest stages of development and throughout their lifecycle.
The aim is to ensure that the company’s products and services are secure from the moment they are deployed.
6.3.1 Minimise attack surface area
6.3.2 Establish secure defaults
6.3.3 Implement The Principle of Least Privilege (POLP)
6.3.4 Review of own and third-party code
6.4 Implementation throughout the development lifecycle
The company shall ensure that requirements for PbD and SbD are incorporated into its development of products and services.
6.4.1 Implementation through the development lifecycle