Click to edit Master title style

Privacy by design in software

development
Main points to consider
Larisa Gabudeanu – ISM – 2019

1
Click to edit
Overview of Master
topics title style

1. Correlation with information security issues

2. Personal data definition
3. Legal basis for data processing: initial purpose vs. subsequent purposes
4. Information notices
5. Data subject rights and retention period
6. Controller vs. processor
7. Liability sharing
8. IT security of personal data
9. Profiling and automated decisions
10. Pseudo-anonymized data
11. Privacy by design embedded in the SDLC – risk based approach

2
Click
1 toCorrelation
of 11: edit Masterwith
title style
information security –
OWASP Top 10 risk - Sensitive data exposure
 Examples

o Is any data transmitted in clear text? This concerns protocols such as HTTP, SMTP, and
FTP. External internet traffic is especially dangerous. Verify all internal traffic e.g.
between load balancers, web servers or back-end systems.

o Is sensitive data stored in clear text, including backups?

o Are any old or weak cryptographic algorithms used either by default or in older code?

o Are default crypto keys in use, weak crypto keys generated or re-used, or is proper key
management or rotation missing?

o Is encryption not enforced, e.g. are any user agent (browser) security directives or
headers missing?

o Does the user agent (e.g. app, mail client) not verify if the received server certificate is
valid?

 Technical and business impact

o Access to confidential data and possibility to amend it.

 Legal implications

o Cybersecurity legislation obligations, data protection obligations (security measures,

access management, data minimization, need to know principle), commercial liability of
IT security, specific regulatory provisions, criminal law angles
3
Click
1 toCorrelation
of 11: edit Master title
with style
information security –
OWASP Top 10 risk - Insufficient logging and monitoring

 Examples

o Auditable events, such as logins, failed logins, and high-value transactions are not logged.

o Warnings and errors generate no, inadequate, or unclear log messages.

o Logs of applications and APIs are not monitored for suspicious activity.

o Logs are only stored locally.

o Appropriate alerting thresholds and response escalation processes are not in place or effective

 Technical and business impact

o Most successful attacks start with vulnerability probing. Allowing such probes to continue can raise the likelihood of

successful exploit to nearly 100%. In 2016, identifying a breach took an average of 191 days – plenty of time for damage to

be inflicted.

 Legal implications

o Cybersecurity legislation obligations, data protection obligations (minimization, access management, security measures, data

breach notification), commercial liability of IT security.

4
1 of 11:
Click to edit Master title
Correlation withstyle
information security
France

• Lack of security measures for web application that lead to personal

data (including ID cards) being publicly accessible (real estate
company – EUR 400,000)

• Lack of proper authentication method (insurance company – EUR

180,000)
UK
Norway
• Issues with security of web application (airline company –
• Lack of security measures for authentication in mobile application EUR 204.6 mil)
(school – EUR 203,000)
• Lack of proper assessment of IT system purchased and
• Lack of proper security measures for authentication (local authority – lack of implementation of security measures (hotel company
EUR 170,000) – EUR 110.3 mil)

Italy The Netherlands

• Lack of proper security measures on a web application of a data • Lack of proper access management implementation
processor (online voting platform – EUR 50,000) (hospital – EUR 460,000)

Poland
Lithuania
• Lack of security measures implemented (online retail
• Lack of security measures for web application (payment service company – EUR 644,000)
provider – EUR 61,500) 5 5
 1 of 11:
Click to edit Master title
Correlation withstyle
information security
Bulgaria

• Lack of proper security measures (fiscal authority – EUR 2.6mil)

• Lack of proper security measures for confidentiality of data, including

ID cards and biometric data (bank – EUR 511,000)

http://www.enforcementtracker.com/

Germany

• Lack of proper encryption in (social media company – EUR 20,000)

Romania

Malta • Customer transaction data available in clear text on the

• Lack of proper security measures on a web application which led to
data being publicly available (public authority – EUR 5,000)
Portugal
• Improper access management (hospital – EUR 400,000)
website (law services company)
• Online accounts not having proper security measures
implemented (online retail company)
• Lack of encryption of data at rest (police office)
• Lack of measures to ensure confidentiality and prevent
unauthorized disclosure (fiscal authority)

The Czech Republic • Lack of proper policies and procedures in place for ensuring
confidentiality of data (retail company)
• Lack of proper security measures implemented (credit broker EUR
1,165) 6 6
Click
2 of 11:
to edit
Personal
Master
data
title
definition
style

 any information
o objective data about an individual (such as a client’s job)
o subjective data about an individual (such as a client’s risk rating).

 related to a natural person

o (a) pertaining to an individual (such as the car purchased through a leasing agreement)
o (b) has an influence on or is influenced by an individual (such as the predisposition to certain illness)
o (c) are in the physical or geographical vicinity of an individual or its objects (such as location of merchants where individuals usually
shop in the evening, as this may refer indirectly to the home location of the individuals).

 that identifies or makes identifiable a natural person – e.g. groups of individuals

 either through data held by the controller or data that the controller may obtain – not clearly defined
concept

Special types of personal data – article 9 GDPR – e.g. biometrics for identification, health data, criminal
records, politic views.

7
Click
2 of 11:
to edit
Personal
Master
data
title
definition
style

• EXERCISE – identify personal data:

o National ID card
o CNP – unique national identification number
o “students of ISM master programme like coffee”
o Logs of a web application
o IP address
o Cookies
o Predictions of diseases based on health app data
o Primary key in a client database
o First and last name of an individual
o “team lead in the DevOps team in Bank A likes fast cars”
o “Client 123 drinks coffee from the coffee shop on Street X each morning at exactly
8am”
o John Doe likes coffee

8 8
Click
2 of 11:
to edit
Personal
Master
data
title
definition
style

• For example: first and last name, email address, IP

Personal address, details on a criminal offence, health data, voice
data

• Collection, analysis, use, storing, archiving, transmitting

Processing

Data
• Individuals whose data is being processed
subjects

 Data processing purpose identification as basis for analysis. Example: internet banking app having multiple
data flows – making payments, obtaining loans, shopping in the market place for partner products, obtaining
insurance.

9
Click
3 of 11:
to edit
LegalMaster
basis for
titledata
style
processing
Main types of legal basis usually applicable (other types are listed under article 6 of GDPR):
• Performance of agreement with the data subject (including negotiation phase)
• Legal obligation of the data controller (not of anyone else) – e.g. registration with authorities, reporting
• Legitimate interest of a data controller
• Consent (expressly given, freely given, informed, easily accessible, plain language)

• For subsequent data processing (different purposes), separate analysis should be made.
Examples:
1. data initially processed for usage of travel app used for identifying bugs and improving app;
2. user data used subsequently for marketing towards the users
Compatibility test:
• Similarity between the initial and subsequent purpose
• Reasonable expectation of the data subject with respect to the subsequent purpose
• Types of personal data processed and the consequences of the processing on the data subject
• Measures implemented for preventing negative consequences on data subjects

*Intra-group transfers – analysis of legal basis every time. Including in cases where a company holds IT apps/infrastructure for entire group

10
Click
4 of 11:
to edit
Information
Master title
notices
style

• Evidence needed for being brought to the attention of the data subject – e.g.
tick boxes saved in the database
• Specific content – articles 13 and 14 of the GDPR
• Easily accessible for users when online (direct access or layered approach)
• Provided prior to any data processing takes place (with some exemptions)

11
Click
5 toData
of 11: edit subject
Masterrights
title style
and retention period

• Focus on right of erasure and right of access – need to

implement technical possibilities to address individual’s rights
when they file a request in this respect; anonymisation instead
of deletion (see Working Party Article 29 opinion on
anonymisation on Sakai)
• Data minimisation principle (limitation of types of personal
data and of processing period) – in this case limited
retention period based on the need to process data
• Implementation of deletion mechanism: automated or manual
(correlated with other IT systems)
• Data portability – legacy systems? Redundancy within
systems?

12
Click
5 toData
of 11: edit subject
Masterrights
title style
–
Case study 1/3

• Distinct additional services for data subject request handling

- Implications of providing handling of data subject requests as an additional services for additional fees
- Offering of additional services for best practices in case of investigation of the controller
- Legal obligations of the processor?

13
Click
5 toData
of 11: edit subject
Masterrights
title style
–
Case study 2/3
• Obligation of co-contractor to assist in responding to data access requests
(e.g. copies of personal data held on behalf of controller)

- Liability in case of lack of cooperation?

- Possibility for a court or authority to impose such cooperation obligation?
- Limitation in terms of fees paid to co-contractor?
- Limited to a certain number of hours of assistance?
- Usefulness of clear contractual provisions?
- Lack of resource of the co-contractor?

14
Click
5 toData
of 11: edit subject
Masterrights
title style
–
Case study 3 of 3

• Obligation of co-contractor to cooperate in case of inspection or litigation

- Liability in case of lack of cooperation?

- Possibility for a court or authority to impose such cooperation obligation?
- Limitation in terms of fees paid to co-contractor?
- Limited to a certain number of hours of assistance?
- Usefulness of clear contractual provisions?

15
Click
6 toController
of 11: edit Mastervs. title style
processor
Key characteristics

• Controller
o Entity which (alone or together with others); when jointly with others => joint controllers
o Determines the purposes; and
o Determines the means of processing.

• Processor
o Entity processing personal data on behalf of the controller; and
o Acting as per the instructions of the controller.

16
Click
6 toController
of 11: edit Master
vs. title style
processor
Case study 1 of 2

• Recruitment agency
- Who establishes the purpose?
- Who sets-out the means?
- Who decides the conditions for data transfer?

17
Click
6 toController
of 11: edit Master
vs. title style
processor
Case study 2 of 2

• Web application created together by a travel agency, a hotel and an airline

- Who establishes the purpose?
- Who sets-out the means?
- Who holds the data?
- Who has direct access to the data?

18
Click
7 of 11:
to edit
Liability
Master
sharing
title style

• Types of potential claims to be brought:

- Penalties from authorities
- Claims from data subjects
- Claims from co-contractors

• Protection against payment of claims:

- Contractual limitation of amount to be paid for liability
- Exclusion of liability in certain specific situations listed in the agreement
- Limitation on costs incurred for assistance to the co-contractor, especially in court proceedings or when addressing data subject
requests
- Recital 78 GDPR – detailing the obligation to implement privacy by design

19
7 of 11:
Click to edit
Liability
Master
sharing
title style
Case study 1/9

• GPS tracking of car fleet

(using third party software off the shelf, with a certain level of maintenance services)

- Who has access to data?

- Who runs the reports?
- Where is the server located?
- Build-in opt-out for employees when off-work?
- Privacy by design obligation for software developer?

20
7 of 11:
Click to edit
Liability
Master
sharing
title style
Case study 2/9

• Intra-group transfer of data

(e.g. energy sector/financial sector)

- Is the data used for secondary processing purposes? – e.g. marketing activity
- Fulfilment of information obligation towards data subjects?
- Data minimization principle?
- Need to know basis?
- Legal basis for transfer?
- Transfer outside the EU? Cloud services used by sub-contractor? Replication of servers of cloud service provider?

21
7 of 11:
Click to edit
Liability
Master
sharing
title style
Case study 3/9

• Interpretation of controller/processor status

A company is mentioned in an agreement to be acting as processor, but decides on the purpose and means of processing independently of
its co-contractor

- Interpretation of contractual provisions vs. de facto controller?

- Relevance of contractual provisions in case of de facto controller by reference to legal obligations?

22
7 of 11:
Click to edit
Liability
Master
sharing
title style
Case study 4/9
• Limitation of liability clause

- Importance of local legal provision?

- Clause with lack of liability for negligence – applicable?
- Cross-border implications?

23
7 of 11:
Click to edit
Liability
Master
sharing
title style
Case study 5/9

• Processor acting without instructions from the controller

- Legal liability?
- Contractual liability?
- Fines from the authority?
- Cross-border implications?
- Claims brought by data subjects against the controller?
- Implications for partial knowledge of the processor of the data processing activity?

24
7 of 11:
Click to edit
Liability
Master
sharing
title style
Case study 6/9
• Data processor acting as per the instructions of the data controller, but such instructions are not in compliance
with the GDPR
(e.g. transfer to US without respecting the conditions set-out under the GDPR)

- Legal liability?
- Contractual liability?
- Fines from the authority?
- Cross-border implications?
- Claims brought by data subjects against the controller?

25
7 of 11:
Click to edit
Liability
Master
sharing
title style
Case study 7/9

• Bank and insurance company sharing data on common users

- Joint controllers?
- Location / IT system where data is stored?
- Data minimization principle?
- Obtaining of consent of data subject?
- Secondary use of data?

26
7 of 11:
Click to edit
Liability
Master
sharing
title style
Case study 8/9
• Use of sub-contractors by the processor

- Requirements if there is a general authorization in the data processing agreement in this respect?
- Need to notify the controller? Need to notify the data subject?
- Requirements for the agreement between the processor and sub-processor?

27
7 of 11:
Click to edit
Liability
Master
sharing
title style
Case study 9/9
• Use of processors by the controller receiving data from another controller

- Liability of controller sending the data

- Possibility of the controller sending the data to obtain assistance from the processor of the controller receiving data
- Obligation of controller receiving data to assist controller sending the data

28
Click
8 of 11:
to edit
IT security
Master case
title study
style 1/11

• IT company providing software and network services

- Extent of liability of IT company in case of data breach?

- Possibility of controller to impose specific levels/types of security measures to be implemented by the IT company?

29
Click
8 of 11:
to edit
IT security
Master case
title study
style 2/11

• IT company providing IT security services

(the agreement not clear on obligations of each party)

- Extent of liability of IT company in case of data breach?

- Possibility of controller to impose specific levels/types of security measures to be implemented by the IT company?

30
Click
8 of 11:
to edit
IT security
Master case
title study
style 3/11

• IT company providing IT security services

(general reference to article 32 in the service agreement)

- Extent of liability of IT company in case of data breach?

- Possibility of controller to impose specific levels/types of security measures to be implemented by the IT company?

31
Click
8 of 11:
to edit
IT security
Master case
title study
style 4/11

• IT company providing IT services

(correspondence with client for implementation of additional security measures for a fee; client refuses)

- Extent of liability of IT company in case of data breach?

- Possibility of controller to impose specific levels/types of security measures to be implemented by the IT company?

32
Click
8 of 11:
to edit
IT security
Master case
title study
style 5/11

• IT company providing IT services

(correspondence with client for updating of the existing security measures, but the client does not download the update even if receiving
information from the IT company)

- Extent of liability of IT company in case of data breach?

- Possibility of controller to impose specific levels/types of security measures to be implemented by the IT company?

33
Click
8 of 11:
to edit
IT security
Master case
title study
style 6/11

• Specific points for IoT

- Relevance of data location and data access on liability – e.g. manufacturer of car, software of sensor, software of gateway, cloud
provider, ISP or implementation company
- Data minimization and need to know principles

34
Click
8 of 11:
to edit
IT security
Master case
title study
style 7/11

• Employee of sub-processor liable for accidental data breach

- Relevance of exposure of data breach (e.g. data sent accidentally to another user, data accessible by the public)?
- Liability shifting between controller, processor and sub-processor?
- Claims made by data subjects or co-contractors?
- Penalties imposed by authorities?

35
Click
8 of 11:
to edit
IT security
Master case
title study
style 8/11

• Controller and processors in different countries

- Different levels of IT security legal obligations for specific industries?

- Cross-border investigations by authorities?

36
Click
8 of 11:
to edit
IT security
Master case
title study
style 9/11

• IT company chosen by data controller not having sufficient resources

(e.g. the IT security company having 3 employees and the data controller having 500 employees and 20 locations)

- Liability in case of data breaches, etc?

- Relevance of contractual provisions in case of investigation from the authorities?
- Relevance of legal provisions in case of investigation or litigation?

37
8 of 11:
Click to edit
IT security
Master –title style
Case study 10/11
• IT maintenance services

- Access granted to maintenance IT company?

- Cooperation with other IT services providers and the data held in their systems?
- Need to know principle?
- Data minimization principle?
- Type of agreement set in place?

38
8Click toIT
of 11: edit Master–title style
security
Case study 11/11

• Framework agreement agreed with mother company for IT services – e.g. cloud or IT security services

- Liability of processor towards subsidiaries?

- Legal basis for accessing data of subsidiaries?
- Handling data subject requests?
- Structure of transfer data agreements?

39
Click
9 toProfiling
of 11: edit Master title style decisions
and automated
Concept
Profiling represents:
• any form of automated processing of personal data
• used to evaluate (including to analyse or to predict) certain personal aspects relating to a natural person
Limitations to profiling: e.g. need for consent in case of intrusive profiling (such as, processing of data not expected by data subject)

Limitations for automated decisions:

• a decision to be taken solely on automated processing (including profiling); and
• the decision to produce legal effects concerning him or her or similarly significant affects him.

Exemptions to limitations for automated decisions:

• necessity for a contract; or
• authorised by the law of EU or member states; or
• explicit consent of data subject.

40
Click
9 toProfiling
of 11: edit Master title style decisions
and automated
Potential risks

 Discrimination or unfair treatment

 Limits rights or denies an opportunity
 Certain sectors of society may not be represented
 Jeopardize of data accuracy
 Data broking

41
Click
9 toProfiling
of 11: edit Master title style decisions
and automated
To do list
Data minimization – proportionality principle
Accuracy of data stored
Retention period
Information provided to data subjects – including structuring of the profiling and envisaged consequences of such processing
Right to rectification
Right to object (specifics for marketing activities)
Implementing appropriate safeguards
Data protection impact assessment (data analysis specific in certain situations provided by law)

42
Click
9 toProfiling
of 11: edit Master title style decisions
and automated
Case studies

• eHealth app – potential processing of sensitive data (derived and inferred data)
• Cybersecurity tools used by companies – IPS, IDS, SIEM
• Data analytics – for targeted marketing purposes
• Social media app – using profiles of its users for marketing purposes (on behalf of other companies – e.g. banks, retail
stores)

43
Click
10 to edit
of 11: Master title style
Pseudo-anonymized data –
Case study 1/3
• Database of financial transactions
(pseudo-anonymization of such data)

- Limitations around the use for creating new products or for marketing campaigns
- (i) it is still possible to identify a data subject? (ii) it is still possible to link records/entries relating to the same data subject? or (iii)
information can be deduced/inferred regarding a data subject?
- Is the data subject identified or identifiable by using any means likely reasonable to be used by either a data controller or a third party?

44
Click
10 to edit
of 11: Master title style
Pseudo-anonymized data –
Case study 2/3
• CRO (Contract research organisation) companies – clinical trials

- Pseudo-anonymized data from clinical trials for research?

- Secondary use of data by CRO or by medicine producer?
- Relation of CROs with distributors of medicine, HCPs and patients

45
Click
10 to edit
of 11: Master title style
Pseudo-anonymized data –
Case study 3/3
• Investigations performed by foreign public authorities towards the mother company

- Legal basis for transfer of data of subsidiaries?

- Transfer of personal data outside the EU?
- Data minimization principle?
- Anonymization of documentation

46
11 of to
Click 11edit
Privacy
Master
by design
title style
Privacy analysis life cycle - SDLC 1/2

Requirement

Change
Design
management

Deployment Coding

Testing
47
11 of to
Click 11edit
Privacy
Master
by design
title style
Privacy analysis life cycle 2/2

Change
Requirement Design Coding Testing Deployment
management

Difficult to
Identification of
define at the Legacy and Static code Implementation
UX vs privacy impact on
outset; risk group systems analysis steps
personal data
appetite

Correlation with
Offering of Third party Triggers for
existing Privacy testing Regular reviews
guidance source code privacy analysis
systems

Templates for Define

Third party White box Restarting the
specific data requirements for Audits
libraries testing SDLC
processing initial design
48
Click
11 ofto11edit Master
Privacy bytitle style
design
Analysis angles – potential approaches 1/3

Application
Consequences
• Collecting structure • Minimise
• (Pseudo-)anonymise
• Transferring • The data at rest • Encrypt/hide • Ensure integration with
• The application layer, • Inform existing IT systems
• Analysing including integration with • Control • Avoid delays and changes to
• Archiving other IT systems
• The data transition layer
• Demonstrate initial architecture
• Technical, privacy and
• Storing • The front-end business aspects adjusted
and included from the outset
Data processing
Implementation
types

49
Click
11 ofto11edit Master
Privacy bytitle style
design
Analysis angles - purpose 2/3

Proactive privacy design embedded in the software from

the outset, culture rather than just specific requirements

Ensure full functionality of software (user-centric

approach)

Ensure integration with existing IT systems

Avoid delays and changes to initial architecture

Technical and business aspects concerning the

software developments cycle
50
Click
11 ofto11edit Master
Privacy bytitle style
design
Analysis angles - EXAMPLES 3/3
IT Development Characteristics to consider
Organisational steps
Requirements for implementation

Traceability of consent/information
Risk management integration Risks for individuals
notices

Specific controls Retention period State of the art

Build best practices for specific types

DSR Costs of implementation
of data processing

Data (collection) minimisation and Incident identification, notification Nature, scope, context and purposes
purpose limitation and investigation of processing

51
Click
11 ofto
11edit
Privacy
Master
by title
designstyle
Role of stakeholders

Business - Terminology gap

owner
- Workshops with actual case
studies
- Right moment to speak to each
department – triggers
IT security Developers - Role of project manager/product
team
manager
Privacy - Change in members of the team
team - IT team: solution architects,
operational department,
external providers
- First and second line of defense
Internal IT Risk
team department

52
11 of to
Click 11edit
Privacy
Master
by design
title style
Specifics depending on development methodology

• Outset of project – the general requirements are detailed

Waterfall
• End of project – formal assessment of project is performed

• Each sprint – for each change business, privacy and developers

discuss privacy implications
Agile/Scrum • Each meeting – real-time awareness of changes to architecture

53
11 of to
Click 11edit
Privacy
Master
by design
title style
Use of third parties

Specific requirements:
Use of third party
Audit e.g. DSR and incident
identification/investigatio
n
source code

Mixed Trainings at the

Inclusion in all
project meetings
outset
teams related to privacy

Initial
External requirements and
Triggers for
additional privacy
periodical follow-
developers ups; SMEs
analysis

54
Click to edit
Relevant legislation
Master title
and guidance
style

• GDPR (EU Regulation 2016/679)

• Law no. 190/2018
• Law no. 506/2004
• Working Party Article 29 guidance
• EDPB guidance
• OASIS – privacy by desing guidance for engineers
• ISO/IEC 29134 – data protection impact assessment
• ISO/IEC 27701 – data protection management
• NIST 800-37 – security and data protection risk assessment
• NIST 800-53 – security and data protection controls
• NIST privacy framework – draft
• AICPA/GAPP- methodology for privacy maturity assessment
• OECD 108 Convention for the Protection of Individuals with regard to Automatic Processing of Personal
Data
55
Click to edit Master title style

Questions?
Email: larisagabudeanu@gmail.com

56