The General Data Protection Regulation (GDPR) makes the law (at least, in relation to EU personal data) what privacy professionals have been saying for years—think about privacy concerns (like collecting as little personal data as necessary and safely getting rid of personal data when it is no longer needed) when designing products and services that involve the handling of personal data. GDPR calls this “Data Protection Privacy By Design and Default.”
So, what do I, as a security professional have to say about this? Well, I say, “This sounds familiar.” And it should. It’s just the security development lifecycle (SDL)—“Secure By Design, By Default and In Deploy” —with a privacy spin. The commonality is how “design” is given primacy in both approaches.
Are both design practices—privacy AND security by design—required? On principle, we (and any other security-minded product company) would say “absolutely!”
But, while GDPR explicitly requires “privacy …