The target group comprises everyone involved in development, or with ownership of the software, including those responsible for defining the requirements, the product owners, customers/purchasers, project leaders, developers, architects, and testers. The Data Protection Officer and security advisor should also be involved in this activity.
When requirements for data protection and security, tolerance levels, data protection impacts, and security risks are detected early, the development team will already know which requirements they need to meet, and can therefore mitigate the risks associated with data protection and information security throughout the development process.
Requirements for data protection and information security
To set the correct requirements, it is important to know what categories of personal data will be processed in the software, what conclusions can be drawn about individuals based on the data being processed, who is the user and owner of the data, who is defined as the controller, and if applicable, who is the data processor or recipient of the personal data. This is necessary for determining which laws, rules, guidelines, and codes of conduct are applicable to the software being developed. These provide guidelines for determining which requirements should be set for the software.
Relevant requirements for data protection and security are contained in the data protection regulation, business practices and policies for data protection and information security, various security standards, and codes of conduct or other relevant laws and regulations relating to the sector. The company must decide for itself which requirements are relevant to their business, the software being developed, and the context in which the end product will be used. Requirements for data protection and information security should be formulated in a checklist that should be integrated into the project plan, and monitored throughout the development process.
Meet the data protection principles
The most important requirement applicable to software with data protection by design is that the data protection principles are met. The processing shall be lawful, fair and transparent. Processing of personal data shall be carried out for specified, explicit and legitimate purposes, and only data that is necessary for the software to function shall be collected.
By “necessary”, we mean that you must assess the amount of personal data, extent of their processing, the period of their storage, and their accessibility. For example, you should consider the level of detailed information required, how long the data will need to be stored, whether automatic deletion routines can be implemented, where the data will be stored, and who will have access to the data, and from where.
Concise information and secure the data
Clear and concise information about how the personal data will be used is fundamental to ensure protection of data subject’s rights. The software must make it easy for the data subjects to exercise their rights, such as access, information, rectification, restriction, and data portability. This can, for example, be resolved by using a login portal that provides an overview of the registered data, information on users’ rights, and a help form that can be used to make objections or rectifications.
The company must ensure the security of personal data during e.g. collection, storage, alteration, viewing, communication, and deletion. Encryption and access control are examples of measures that can be used to help ensure security.
The security requirements for the software are determined by identifying which risks the software may be exposed to, and which risks the company is willing to take. This defines the parameters for selecting relevant and correct measures for the company and the software. We recommend using the Data Protection Authority’s checklists and recognised standards for information security when selecting relevant measures.
Generic examples of suggested measures:
The ISF Standard of Good Practice for Information Security (SoGP)
Defining risk tolerance levels
Risk assessment is about identifying the potential consequences of different incidents or scenarios, and assessing how likely or easy it is that an unwanted incident occurs. It is the company’s management that determines the degree of risk the company is willing to take in different scenarios. This is called risk tolerance. This tolerance level provides guidance on what measures and resources need to be put in place to ensure that the software does not exceed the defined level of acceptable risk.
In terms of security, the tolerance level is defined individually for different “security scenarios”. Examples of such security scenarios could include accidental alteration of personal data, unauthorised disclosure of personal data, and a lack of accessibility that could significantly affect life and health.
In terms of data protection, the tolerance level is defined individually for different “data protection scenarios”. Examples of such data protection scenarios could include the data subject losing control over his/her personal data, the data subject being subjected to discrimination based on profiling carried out by the software, or a person being re-identified from anonymised data.
Some security scenarios and data protection scenarios will have zero tolerance for risk, while for others, the company may be willing to take a certain degree of risk. Management must set acceptable tolerance levels, i.e. risk appetite, for both data protection and security.
The company’s risk appetite may be documented by defining tolerance levels for data protection or security in different scenarios, often in a reference table that can be reused for other risk assessments.
Security Risk Assessment
A risk assessment begins with mapping values that should be secured. The data protection regulation defines personal data as a value.
A threat assessment should be carried out to identify which actors could be interested in the values, and which attack vectors different threat actors use. An evaluation is then carried out to determine which values are vulnerable to any given threat. Information security standards can help to detect vulnerabilities, thus also identifying the requirements that need to be established for data protection and security.
The result of the risk assessment should be assessed against the security tolerance level. If the risk level is higher than the pre-determined level of acceptable risk, measures must be implemented to mitigate the risk. It is also necessary to determine who will be responsible for the measure, and to set a deadline for implementation.
Data protection impact assessment
The purpose of a data protection impact assessment is to assess the impact an envisaged software or processing operation may have on the protection of personal data. It is to ensure that the software does not infringe on the data subject’s fundamental rights. The processing should, for example, be lawful, fair, and transparent. For certain types of processing of personal data it is required to carry out a data protection impact assessment:
- In the case of a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated decision-making, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person,
- when processing sensitive personal data on a large scale, or
- a systematic monitoring of a publicly accessible area on a large scale.
If you are in any doubt, we recommend carrying out a data protection impact assessment. The assessment shall contain at least:
- A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller,
- an assessment of the necessity and proportionality of the processing in relation to the purposes,
- an assessment of the risks to the rights and freedoms of the data subjects, and
- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the data protection regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
In cases where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken to mitigate the risk, the data protection regulation requires that you contact the Data Protection Authority for a prior consultation.
We recommend The Article 29 Data Protection Working Party’s Guidelines on Data Protection Impact Assessment (DPIA)
Example of a checklist for setting requirements (pdf)