Software development with Data Protection by Design and by Default

Question 1

Why did the Norwegian Data Protection Authority develop Data Protection guidelines?

Answer 1

to help organizations understand and comply with the requirement of data protection by design and by default in article 25 of the General Data Protection Regulation.

Question 2

Who should use the Privacy By Design guidelines?

Answer 2

1) developers
2) software architects
3) project managers
4) testers
5) data protection officers
6) and security advisors.

Question 3

Everybody who develops and contributes to the development of software containing or processing personal data.

Answer 3

s

Question 4

Data Protection by Design development begins with an idea of creating a product that will help to simplify or improve the quality of a process or task. There are functional requirements to how the software should solve the task.

Answer 4

Software development should follow a methodology with key activities to ensure that the final product is robust.

Question 5

What are some frameworks that assist with Data Protection by Design?

Answer 5

1) Microsoft Security Development Lifecycle (SDL),
2) Secure Software Development LifeCycle (S-SDLC) and
3) ENISA; Privacy and Data Protection by Design

Question 6

What are the important processes in Data Protection by Design?

Answer 6

1) policy to engineering
how to incorporate data protection principles,
2) subject rights,
3) and the requirements of the GDPR into every step of the process.

Question 7

Is the scope of your organization’s control over employees’ mobile devices consistent with the organization’s interest?

Answer 7

Organizations should think about how much interest they have an interest in knowing about their employees’ mobile devices.
The company’s legitimate interest in information can be the basis from which a BYOD policy emerges.
For example if the organization simply wants to allow an employee to access work email on a mobile device, then the policies and restrictions should proceed with that focus.

Question 8

To what extent and for what purpose does the organization monitor employees’ use of mobile devices?

Answer 8

Many servers create logs showing when an employee’s device accessed the organization’s server using certain authentication credentials. As security measures such logs are often appropriate. To the extent that the organization wants to monitor more substantive actions by an employee on a mobile device, such monitoring should be in line with an appropriate purpose.

Question 9

What procedures are in place to restrict the transfer of data from the organization’s network by way of the mobile device?

Answer 9

Organizations often protect against the risk that the organization’s data will be “floating” on multiple devices by

(a) limiting the types of data accessible to mobile devices (e.g., email) and
(b) restricting, to the extent possible, how that data can be used on the mobile device (e.g., policies on copying and requiring certain security settings).

Question 10

For security purposes, does the organization require a minimum version of the operating system to be in place, and for that version to be fully patched, before an employee can use a mobile device?

Answer 10

Minimum versions ensure that certain security protections and bug fixes are present on the device.

Question 11

Can data on a mobile device be remotely wiped? By whom?

Answer 11

A best practice for devices that contain confidential or sensitive organization information is to ensure that the data can be remotely deleted from the device by the organization if, for example, the device is stolen or the employee is terminated. This may be relatively easy for some organizations. For example, organizations that use sandboxed application that permit employees to access email on the company’s server – but do not store or cache data locally – can typically be deactivated relatively easily and in a manner that does not allow an unauthorized person who may possess the mobile device to gain any access to the company’s system. To the extent that an employee was permitted to locally store work-related data (e.g., cache work emails locally, or download attachments), an employer should consider whether it has the right, and the technical means, to remotely wipe the entire device.

Question 12

What procedure is in place for an employee to report a missing mobile device?

Answer 12

Accidents happen to everyone, but their aftermath can determine whether they become catastrophes. Employees should report a missing device to someone – perhaps the IT department or help desk – so that the organization’s device removal policy can be followed.

Question 13

What steps does the organization take to proliferate its mobile device policies?

Answer 13

Organizations often rely on their IT staff, self-help materials, and employee certifications to ensure (a) employee awareness of the organization policies and (b) enforcement of organization policies.

Question 14

Do the security measures in place match the sensitivity of the data accessed through the mobile device?

Answer 14

For employees that receive non-sensitive information minimal restrictions may be appropriate. For employees that receive sensitive or confidential information higher restrictions may be appropriate.

Question 15

Does your BYOD policy facilitate a wage and hour dispute?

Answer 15

Although BYOD programs are widely lauded for increased productivity and “off-the-clock” accessibility, this benefit can expose employers to potential wage-and-hour issues if the BYOD user is a nonexempt employee. If a nonexempt employee is permitted to use a mobile device for work related purposes after working hours, is there a policy that mandates that the employee must report the time that he or she worked? Is there an effective and efficient means for the employee to report such time?

Question 16

Does the BYOD policy expose the company to additional discovery costs?

Answer 16

In the event that the organization is involved in litigation or a government investigation it could receive a request that the company review its electronic files for evidence that may be relevant to the case. In some situations, a BYOD policy may expose the employee’s personal information – e.g., texts, images, emails, and files – to potential disclosure in the litigation. This is particularly true if, pursuant to the BYOD policy, the employee is instructed to use native communication systems on their personal device. For example, if the employee routinely texts clients or other employees from their mobile device. If the employee has not taken care to preserve relevant information – particularly after an investigation or a lawsuit is initiated – it could lead to allegations of evidence spoliation against the company.

Question 17

What to think about when reviewing your website:

Answer 17

1. Does your website ask children to provide information?
2. If not, does your website automatically collect information about a child’s computer or session?
3. Would your website appeal to children?
4. Has the FTC received complaints about your website? If so, how many and what issues were raised in the complaints?
5. Does your website ask for parents’ permission to collect information about children?
6. Does your website verify that the parent is the actual parent of a child?
7. Has the verification mechanism been approved by the FTC?
8. Does your website’s privacy policy comply with COPPA?
9. Can you limit liability by joining an FTC approved self-regulatory organization (sometimes called a “safe harbor” program)?
10. Which safe harbor program provides the most benefit to your organization?

Question 18

In order to understand the impact of the Top Violator Report to your organization you should consider asking the following questions:

Answer 18

1. Is your organization identified on the current Top Violators Report? Has your organization ever been identified on a Top Violators Report? If you are not listed on the Top Violator’s Report, how close is your organization’s complaint volume to those organizations that are on the list?
2. Are competitors in your industry identified on the Top Violators Report? If so, if the FTC initiated an investigation of your competitor what impact (if any) would that have on your organization?
3. Are companies which provide service to your organization on the Top Violators Report? If so, do the complaints filed against those service providers suggest legal compliance issues which may put your organization at risk?
4. Are clients of your organization on the Top Violators Report? If so, if a FTC investigation were to be initiated against your client, could it have a negative impact on your organization?
5. Do you have a system in place to quickly identify any pertinent changes to the Top Violator Report?

Question 19

What you should think about when deciding whether to conduct a data map or a data inventory:

Answer 19

1. Which departments within your organization are most likely to have data?
2. Who within each department would you need to speak with to find out what data exists?
3. Is it more efficient to send the relevant people a questionnaire or to speak with them directly? What is the best way to receive information from each person in the organization that collects data so that the information provided can be organized and sorted with information received from others?
4. What information should you collect about the personal data within your organization? For example, is it enough to know where the data is, and who is responsible for it, or should you collect the reason why your organization has the data, how long it is kept, where it is systematically transferred to, and the type of security applied to the data?
5. Is your data map intended to be an inventory (i.e., a description of data at rest), or is it intended to provide dynamic information (i.e., a description of how data moves within and outside of your organization)?
6. Which stakeholders in your organization may have an interest in the outcome of your data map? For example, are there uses that a privacy officer, an information security officer, or a chief information officer, may have in the outcome of the project?

Question 20

What you should think about when deciding whether to conduct a data map or a data inventory:

Answer 20

7. Do you have sufficient internal resources to conduct the data map? If not, do you have access to external resources with experience in conducting such exercises?
8. Is your data map going to inventory data that crosses national boundaries? If so, do you want your map to also account for what (if any) legal compliance strategies are being used to facilitate such transfers?
9. If your data inventory is going to examine the retention schedule (if any) applied to the data, are you going to rely on self-reported retention periods or are you going to verify actual retention periods?
10. Do you intend to use the outcome of your data inventory to demonstrate compliance with any specific legal requirements? For example, if your organization is subject to the European Union General Data Protection Regulation do you intend for your data map to satisfy your obligations to demonstrate that your organization applies data minimization and has a permissible purpose for its data processing?

Question 21

Some organizations use sandboxed applications for accessing work-related email. Such apps open email in a program that is

Answer 21

separate and apart from the native email system that is built-into the device and they control aspects of the user’s experience.

Question 22

Employers may

Answer 22

restrict the user from locally saving any emails, or attachments, to the user’s device.