27. Januar 2022
On the occasion of Data Protection Day, the European Union Agency for Cybersecurity (ENISA) explores how to engineer data protection principles.
The European Union Agency for Cybersecurity (ENISA) joins the celebrated Data Protection Day by publishing a new report on data protection engineering. January 28th marks the anniversary of the Council of Europe’s Convention 108 on the protection of personal information, the first legally binding international law in the field of data protection.
The evolution of technology has given rise to new techniques to share, process and store data. These new technologies have often been introduced without a prior assessment of the impact on privacy and data protection while new threats and attack vectors have introduced additional challenges.
The new publication takes a broader look into data protection engineering to support practitioners and organisations. It seeks to help them with the practical implementation of the technical aspects of data protection by design and by default. The report presents existing (security) technologies and techniques and discusses their strengths and applicability in order to meet the data protection principles stipulated by the General Data Protection Regulation (GDPR).
Data protection by design has been a legal obligation since the GDPR came into effect in 2018. The concept is often associated with the use of specific Privacy Enhancing Technologies (PETs). However, it also extends to various technological and organisational components meant to implement data protection principles. Engineering those principles into practice not only means integrating them into the design of the processing operation. It also means selecting, deploying, configuring and maintaining the appropriate technological measures and techniques to that effect.
Today’s publication follows that goal by providing an analysis of possible strengths of techniques in several areas including anonymisation, data masking, privacy preserving computations, storage, transparency and user control tools.
Scope of the report
The report is designed to help assess the most relevant techniques depending on each processing operation and based on the need of the data controller by providing strengths and possible limitations.
Traditional security techniques such as access control and privacy preserving storage are being discussed in addition to novel concepts such as synthetic data which introduce new opportunities and challenges.
The report underlines the importance of policy guidance and the ability to demonstrate compliance and provide assurance to end-users.
ENISA is currently setting up an Ad Hoc Working Group in the area of Data Protection Engineering. The call for expression of interest is open until 15 February 2022 12:00 noon EET (Athens time zone). The role of the group will be to support the analysis of available or emerging technologies and techniques in the area in order to identify and highlight good practices and innovative security techniques.
Background
The General Data Protection Regulation (GDPR) addresses the risks associated with the processing of personal data. The regulation intends to reinforce individuals’ rights in the digital era and enable them to better control their personal data online. At the same time, modernised and unified rules will allow businesses to make the most of the opportunities of the Digital Single Market (DSM) also benefiting from increased consumer trust.
To this end, ENISA looks into the solutions offered by Privacy by design as a fundamental principle of embedding data protection safeguards at the heart of new electronic products and services. An example is Privacy Enhancing Technologies (PETs) that can support privacy integration in systems and services. ENISA also engages in different analyses of other security measures in relation to cryptographic protocols or online and mobile data protection among others.
Further Information
ENISA Report – Data Protection Engineering
ENISA webpage on Data Protection
ENISA Annual Privacy Forum 2022 (APF 2022)
ENISA Report – Data Pseudonymisation: Advanced Techniques and Use Cases
Fachartikel
Wenn Angreifer selbst zum Ziel werden: Wie Forscher eine Infostealer-Infrastruktur kompromittierten
Mehr Gesetze, mehr Druck: Was bei NIS2, CRA, DORA & Co. am Ende zählt
WinDbg-UI blockiert beim Kopieren: Ursachenforschung führt zu Zwischenablage-Deadlock in virtuellen Umgebungen
RISE with SAP: Wie Sicherheitsmaßnahmen den Return on Investment sichern
Jailbreaking: Die unterschätzte Sicherheitslücke moderner KI-Systeme
Studien
Deutsche Unicorn-Gründer bevorzugen zunehmend den Standort Deutschland
IT-Modernisierung entscheidet über KI-Erfolg und Cybersicherheit
Neue ISACA-Studie: Datenschutzbudgets werden trotz steigender Risiken voraussichtlich schrumpfen
Cybersecurity-Jahresrückblick: Wie KI-Agenten und OAuth-Lücken die Bedrohungslandschaft 2025 veränderten
![Featured image for “Phishing-Studie deckt auf: [EXTERN]-Markierung schützt Klinikpersonal kaum”](https://www.all-about-security.de/wp-content/uploads/2025/12/phishing-4.jpg)
Phishing-Studie deckt auf: [EXTERN]-Markierung schützt Klinikpersonal kaum
Whitepaper
ETSI veröffentlicht weltweit führenden Standard für die Sicherung von KI
Allianz Risk Barometer 2026: Cyberrisiken führen das Ranking an, KI rückt auf Platz zwei vor
Cybersecurity-Jahresrückblick: Wie KI-Agenten und OAuth-Lücken die Bedrohungslandschaft 2025 veränderten
NIS2-Richtlinie im Gesundheitswesen: Praxisleitfaden für die Geschäftsführung
Datenschutzkonformer KI-Einsatz in Bundesbehörden: Neue Handreichung gibt Orientierung
Hamsterrad-Rebell
Cyberversicherung ohne Datenbasis? Warum CIOs und CISOs jetzt auf quantifizierbare Risikomodelle setzen müssen
Identity Security Posture Management (ISPM): Rettung oder Hype?
Platform Security: Warum ERP-Systeme besondere Sicherheitsmaßnahmen erfordern
Daten in eigener Hand: Europas Souveränität im Fokus
