Compliance: using Privacy By Design to reduce cyber security risk
I have previously written articles on cyber risk in the construction industry: on the GDPR, cyber crime and ISO27001, and data loss and risk management. Many other articles have touched on issues linked to this area, such as Building Information Modelling, ethics, the project manager role, and project and contract management
All articles are available to read on this website and my LinkedIn page.
In the face of sobering news about the double-whammy of cyber-crime and the advent of GDPR in May 2018, the construction industry can help itself by considering implementing two tools: ISO27001 (see previous article) and Privacy by Design (PBD).
Privacy by design: what is it?
“Privacy by design” is a concept dating back about 15 years, emanating from Canada (which has extensive privacy laws – see the reference to CASL in previous article), but which has gained popularity in the UK over the past 5 years.
What are its main objectives?
PBD refers to the implementation of the privacy principles into the operation of an organisation’s systems and policies.
PBD aims to achieve the following corporate and individual benefits:
· Corporate – to reduce the costs associated with tackling data breach; and
· Individual – to effect a less intrusive outcome on individuals affected by data breach. Ref: ICO website.
The UK government has implemented a Data Science Ethical Framework to help business to develop policy in a manner, which properly assesses the risks and benefits of using personal data. The Framework comprises guidelines which organisations should utilise when setting up their internal systems for the use and processing of individuals’ data. Basic principles include the accountability to only use data in a manner which would benefit the public and to be sensitive of the individual and public perception of data processing. The Framework also includes implementing data processing systems that do not intrude upon the individual’s right to privacy and to take all the necessary precautions to protect breaches of data from occurring.
Organisations can undertake a “Privacy Impact Assessment” (PIA) to identify the risk of privacy issues and, thereafter, make a plan to mitigate them. A PIA should reduce the likelihood of individuals being harmed by the misuse of personal information.
Compliance and collaboration
Implementing PBD principles will help your organisation comply with GDPR, as well as raise awareness throughout your organization of the importance of privacy and data protection. Corporate awareness encourages communication and challenges poor practice behaviours. This collaborative approach will result in designing a more effective system for processing personal information.
A few tips on “privacy by design”
The UK’s thought-leadership publication for the IT industry, Computing (computing.co.uk), has published a very useful user-guide to PBD.
Here are some of my key takeaways:
· Don’t let your organization be in reactive mode. Prepare for, and anticipate, a cyber breach. Statistically, it will happen sooner than later!
· Set privacy as the default setting on the internet and network browser.
· Embed the concept of privacy protection within the organisation’s framework and business practices.
· Manage, organize and administer personal data using privacy principles.
· Maintain visibility and transparency of the personal data held by the organisation.
· Implement measures so the individual user has control over his/her data.
What is the uptake of “privacy by design”?
PBD is in its infancy, but interest is growing. It is turning on its head the assumption that data is a free commodity to be used and abused as desired. Current laws and practices refer to data, which has already been processed. PBD pulls back on the data being processed in the first place. I am excited by the prospect of more construction sector businesses committing to PBD. I believe that GDPR will drive take up of PBD within the EU, but its global reach will encourage PBD further afield.