Training
During this activity, the specific types of training that should be given are determined. To ensure that everyone in the organisation understands both the need for, and the risks associated with, data protection and security, the training needs to be structured.
The target group for this activity is management and employees in the organisation.
What is important to learn
An understanding of data protection and information security is a prerequisite for developing software with data protection by design and by default. Employees should know what requirements are applicable, what they should look out for, and which tools enables them to convert knowledge of data protection and information security into software that safeguards it.
Employees must also know which methodology and routines should be followed. The organisation itself must decide what is relevant, and what type of training is required for individual employees. A training plan should be drawn up.
Which requirements apply for the organisation?
The employees should receive training in the relevant internal and external requirements. Internal requirements may relate to data protection, information security, internal control, and resource management. This includes routines for risk assessment and requirements for documentation. External requirements include data protection law in general, the significance of the data protection principles in particular, and rights of the data subjects.
Other external requirements might include regulatory and mandatory requirements related to the subject area, sector, or industry for which the software is to be developed. There may also be a requirement to follow best practices, standards, code of conducts for the chosen technology. Examples of these include the Freedom of Information Act, the Patient Records Act, the pending ePrivacy Regulation, the Regulations on the Use of Information and Communications Technology (ICT), the framework for information security (for example ISO27001, and the ISF Standard of Good Practice for Information Security (SoGP).
How to do this in practice Software developers should have an established development methodology, approved by management, that they follow when developing software. When developing software that processes personal data, the methodology should include data protection by design and by default, and security by design. Examples of development frameworks with embedded security are Microsoft Security Development Lifecycle (SDL) and OWASP Flagship projects.
Which tools can be used? The organisation should prepare an overview of the tools, standards, and best practices that should be used during software development. Employees should be trained in which tools they can use, how to use them, and for what purposes. Examples of tools for tasks including security testing, setting security requirements, measurement, and threat modelling can be found in:
OWASP Application Security Verification Standard Project (OWASP ASVS)
Download
Example of a checklist for what training activities should include (pdf)