Nowadays, with the development of digital technologies, the processing of personal data has become an integral part of many IT projects. Such processing is, on the one hand, commonplace and, on the other hand, requires compliance with the requirements of regulators and customers, including ensuring the protection of such data at every stage of processing, from collection to use to final deletion.
The above requirements are regulated by law, with many countries having regulations in this regard. In the European Union, these include the General Data Protection Regulation (GDPR, or RODO), the Directive on Privacy and Electronic Communications (2002/58/EC) and the NIS Directive. Many other countries have similar regulations. The provisions of the GDPR set out detailed requirements for how personal data is processed, including obtaining consent from individuals, protecting data from unauthorized access, and allowing individuals to exercise their rights, such as the right to access or delete their personal data.
Data processing – definition
Under the regulations of the DPA, data processing is any operation performed on data, by automated or non-automated means, such as, but not limited to, collecting, recording, organizing, structuring, storing, viewing, retrieving, sharing, adapting/modifying, matching/joining, using, deleting or destroying.
Personal data is any information that can be linked to a specific individual, such as name, address, phone number, email address or IP address. This data may also include an identification number, location data, Internet ID.
The processing of the above data may include, for example, allowing access to the contact database, as well as recording camera images or logging IP addresses.
Data processing in IT projects – characteristics
The processing of personal data in IT projects must comply with legal regulations, including the GDPR: it must, first and foremost, be justified by a specific purpose, reliable, transparent and limited to a minimum scope sufficient to achieve the stated purpose.
The stages of data processing in IT can be combined with the data processing processes listed in the above definition from the GDPR regulations. These include the following steps:
- Collecting personal data: the first step is to collect personal data from users through various tools, such as forms, surveys or mobile apps.
- Storing personal data: the next step is to store personal data in a secure manner to ensure that it is protected from unauthorized access.
- Processing personal data: next, personal data is processed according to the purposes for which it was collected. This may include operations such as analysis, segregation or aggregation of data.
- Sharing personal data: after processing, personal data may be shared only with authorized persons or entities, for example, to provide a service or to provide information about you.
- Deletion of personal data: at the end of the process, personal data should be deleted or anonymized if it is no longer needed to fulfill the purposes for which it was collected, or at the user’s request.
Processing of personal data – GDPR requirements and good practices
One of the primary goals of the GDPR is to protect individuals in connection with the processing of their personal data, not to protect the data itself. Hence, it is important for individuals to be aware of how their personal data is being used, and to be able to exercise their rights and control their data. The GDPR imposes a number of requirements on data controllers related to protection against misuse, such as:
- Ensuring that personal data is collected and used only for specific purposes of which individuals have been informed.
- Taking into account the principles of privacy by design and by default.
- Protecting personal data from unauthorized access, use or disclosure (this should include implementing technical and organizational measures such as encryption and access control).
- Enabling individuals to exercise their rights, such as the right to obtain information about the processing their personal data or to have personal data deleted.
To meet the GDPR requirements, in some types of data processing activities, it is sufficient to maintain basic security practices such as those recommended by the DPA.
However, in IT projects, meeting these requirements is already much more complicated, due to the complexity of the software being developed and the manufacturing process itself (SDLC), as well as the multitude of lurking threats. In practice, the most common practices are those prescribed by a specific industry standard such as Microsoft SDL or another (e.g., OWASP Software Assurance Maturity Model or ISO/IEC 27034).
SDL practices as a tool to meet legal requirements to ensure adequate protection of personal data
The Microsoft Security Development Lifecycle (SDL) is a set of practices that improve the security of software development at all stages of the development process. The forerunner of this approach is Microsoft, which describes and shares its practices, thus setting a trend that is already widely used in the industry today (despite the existence of other standards, such as NIST 800-64 – Security Considerations in the Information System Development Life Cycle or OWASP SAMM – Software Assurance Maturity Model, as well as more specialized industry standards like PCI DSS for the payment card industry).
Euvic S.A. has an implemented Euvic SDL policy based on Microsoft SDL. The Euvic SDL policy defines several levels of secure software development depending on customer expectations and project requirements, including system criticality and sensitivity of stored data.
Implementing SDL in an organization is a long-term effort and involves various project roles (analyst, architect, project manager, technical lead, developers, devops specialists, testers, infrastructure and support staff, etc.). SDL’s main objectives include:
- Providing adequate training so that all developers are aware of the risks and countermeasures for the security of the software being developed.
- Defining metrics and reporting with respect to security.
- Conducting threat modeling for the systems being developed.
- Establishing a common approach for all developers regarding the security management of the software being produced
- Using appropriate and proven secure design patterns, cryptographic methods and developer tools.
- Managing risks associated with the use of third-party components.
- Using automated tools to support vulnerability detection (static SAST analysis, dynamic DAST) and penetration testing.
- Properly managing access to development environments and project information.
SDL practices used together are aimed at detecting and eliminating security vulnerabilities as early as possible in the project lifecycle (the “push to the left” principle). Removing vulnerabilities at the analysis or code review stage is much cheaper than rebuilding the finished solution or handling incidents after the code is deployed to production. Also, the multitude of possible attack types and the complexity of securing systems require that security remain a priority at various stages of a project. Implementing SDL practices can make it much easier to meet the legal requirement of privacy by design under the GDPR.
There are other benefits of implementing SDL for software development organizations:
- Much earlier detection of most security-impacting bugs, and reduced costs of handling such bugs – but also other types of bugs in software development through procedures for multi-stage code verification before production deployment.
- Much easier compliance with data security regulations, reducing legal risks.
- Reduction of business and reputational risks associated with security errors.
- Ability to manage security through the use of metrics and tailor security efforts to the requirements of a specific project by choosing the intensity of efforts in specific SDL areas.
- Availability of new markets – ability to offer services to customers who are particularly sensitive to security issues.
Risk management – data breach incident: classification and risk management procedure
One of the tenets of SDL is the process of handling incidents and classifying them based on the severity of the potential impact. This can include the type of data affected by the incident, the number of people affected, and the likelihood of harm to those people.
When classifying an incident, a risk management procedure is used to resolve the problem and prevent future incidents. This may include conducting a thorough investigation, implementing additional security measures, and notifying affected individuals and regulators as required.
Penalties for inadequate data protection
Processing personal data in IT projects involves the risk of a data breach. This risk may arise as a result of inadequate data security, system failure, hacker attack, or data processing errors.
In such a case, the person or entity responsible for processing personal data may incur liability, including criminal or civil liability, as well as being penalized by supervisory authorities (in Poland, the President of the Office for Personal Data Protection).
Under the GDPR, organizations can be fined up to €20 million or, in the case of companies, up to 4% of total annual worldwide turnover (whichever is higher) for violations. One of the highest fines, for example, was levied on Instagram (€405 million) by the Irish Data Protection Commissioner in 2022, who found negligence in the management of data of underage users, whom the service allowed to create business accounts, resulting in phone numbers or email addresses being made public.
In conclusion, the processing of personal data in IT projects is a complex and important topic that requires due diligence. By understanding the features and stages of data processing, the penalties for failing to properly secure data, and the importance of risk management, organizations can effectively protect personal data and ensure compliance with relevant laws and regulations.