The European Union’s General Data Protection Regulation will change the way organizations across the globe handle personal information by enforcing strict guidelines on how that information is collected, handled, and processed. With full implementation coming into effect on May 28, 2018, after which infractions will incur hefty fines, GDPR compliance is critical and companies need to respond quickly.

Article 25 has posed particularly difficult challenges for organizations when it comes to business agility. Pertaining to “Data Protection by Design and Default,” Article 25 contains several new regulations for the development and management of software to ensure the processing of user data in a secure manner. In short, Article 25 outlines a number of controls that organizations must build into the systems that process any personal data such that full privacy is the default state of these systems.

Companies want to build systems quickly in order to meet their business needs, and they typically rely on privacy impact assessments (PIAs) to satisfy the kinds of requirements outlined in Article 25. Unfortunately, PIAs are constrained by the number of privacy experts on staff, and this imposes limits on scalability. This might not be an issue for small companies, which might have one privacy officer on staff who can handle all of the PIA work without slowing down system development. But for larger companies, this is much harder.

Large, enterprise organizations are unlikely to have enough privacy talent to conduct the necessary PIAs and this may create a critical bottleneck. This will inevitably lead these organizations to take a risk-based approach and focus their privacy talent on their most critical systems. Many other systems will wind up without any privacy by design at all.

In order to meet stringent and elaborate regulations like GDPR Article 25, companies need to design a scalable process that doesn't hinge on the expertise of a small number of experts to serve each application. One solution is to adopt a “two-tier” support model.

In the first tier, organizations compile a general knowledge base of “privacy by design” controls with actionable advice targeted at system developers and operators—recommendations like, “Ask for consent before setting a cookie.” In order to be meaningful, end users should be able to filter the knowledge base to look only at content that is applicable to their current project.

Additionally, the content from the knowledge base should plug directly into development team backlogs so that they be tracked and audited. This both maintains speed and provides proof that data protection was baked into design. Finally, each privacy control should also have verification instructions, so users can validate whether or not the control has been met.

In the second tier are the less common controls not contained within the knowledge base and/or the organization’s most critical systems. Privacy experts can focus on these, concentrating their efforts on more complex tasks that more worthy of their attention and time. Then, should any of these controls become more common, they can add them to the knowledge base in tier one.

At the lowest tech end of the spectrum, companies can create the knowledge base for tier-one in an Excel sheet with customized filters. However, this is an inefficient, overly tedious, undependable solution for large organizations, especially with GDPR raising the consequences of error.

A more robust and scalable solution is to embrace an Application Security Requirements and Threat Management (ASRTM) methodology. Gartner defines ASRTM as being “used for automating security requirements definition, risk assessment and threat modeling, often with Software Development Lifecycle (SDLC) integration."

ASRTM takes the two-tier approach described above and automate its critical functions while integrating smoothly into an organization’s development processes. The content for the control knowledge base can be supplied by your application security vendor and/or built and customized in-house by an organization’s privacy experts. ASRTM best practices calls for ALM tool integration, providing developers with immediate, easy-to-deploy instructions for building security into applications. It also offers an auditable trail to prove GDPR compliance. The result is compliance with GDPR’s stringent privacy standards without sacrificing business-wide agility.

ASRTM has uses well beyond GDPR and data privacy. The exact same process and steps outlined above are also applicable to numerous other compliance standards and initiatives, as well as general cybersecurity best practices. Having a single set of tooling for privacy, compliance, application, and network security needs reduces the process overhead for developers. This allows developers to focus on building software, and speeds up the pace of a whole organization without sacrificing security.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access

Rohit Sethi

Rohit Sethi

Rohit Sethi is chief operations officer aat the Toronto-based information security company Security Compass.