Data protection by design: The new standard
If you’ve built a new website in the last few years, you might have heard of the concept “mobile first,” which encourages you to design a website first for mobile devices and scale up for desktop screens.
In contrast, many people before would design a complex desktop site and try to scale it down for a mobile device, which often resulted in a poor user experience. The new concept enabled designers and developers to build better, mobile-friendly websites.
Just like we adapted to a mobile-first world years back, we (as in anyone who creates or owns websites) will have to adapt to new data protection policies. In less than a year, the European Union will enact their General Data Protection Regulations, or GDPR, that affect any site gathering information from users in the EU. So today, the EU encourages businesses to take a “Data-Protection-By-Design” approach when creating new websites that can be accessed by EU citizens.
This approach involves making data-protection considerations from the start of design and development. It should be a core focus of your new ventures.
The user experience should include functions that gather explicit consent for data collection from users. The users should also be able to easily access, modify or remove the data that you are collecting.
If you already have existing sites or services, and they do not yet comply with the GDPR, you’re not alone. You’ll need to perform a data assessment on said software and take steps to resolve any issues you may find.
- Identify areas of risk. Does the software explicitly require the user to consent to data collection? Does it prove that consent was given? Can consent be withdrawn? Can data be breached from your system?
- Design solutions for averting the areas of risk. The EU has not yet made clear their enforcement efforts, but when a single violation can cost 4% of a company’s annual global turnover or €20 million (whichever is higher), precautionary measures are worth the investment.
- Discover and classify all the types of data that is being collected. Data around name, location, ethnicity and more are all considered protected.
- Implement controller/processor governance to track where data is processed. Create a thorough audit trail for the data. You must be able to prove that you received explicit consent to collect the data.
- Monitor data breaches and notify, if needed. If the data is obscured/encrypted, then notification of a breach is not required. If the data is plain text, then notice of the breach must be given to data protection authorities within 72 hours.
Don’t feel like you need to resolve the new requirements alone. There are many consultants and services out there to help businesses comply. It may be wise to consult with legal, design and IT experts to ensure your bases are covered. This is an issue facing many global companies, but by adopting data protection policies today, you will be in a more secure place tomorrow.