On the occasion of Data Protection Day, the European Union Agency for Cybersecurity (ENISA) explores how to engineer data protection principles.
The European Union Agency for Cybersecurity (ENISA) joins the celebrated Data Protection Day by publishing a new report on data protection engineering. January 28th marks the anniversary of the Council of Europe’s Convention 108 on the protection of personal information, the first legally binding international law in the field of data protection.
The evolution of technology has given rise to new techniques to share, process and store data. These new technologies have often been introduced without a prior assessment of the impact on privacy and data protection while new threats and attack vectors have introduced additional challenges.
The new publication takes a broader look into data protection engineering to support practitioners and organisations. It seeks to help them with the practical implementation of the technical aspects of data protection by design and by default. The report presents existing (security) technologies and techniques and discusses their strengths and applicability in order to meet the data protection principles stipulated by the General Data Protection Regulation (GDPR).
Data protection by design has been a legal obligation since the GDPR came into effect in 2018. The concept is often associated with the use of specific Privacy Enhancing Technologies (PETs). However, it also extends to various technological and organisational components meant to implement data protection principles. Engineering those principles into practice not only means integrating them into the design of the processing operation. It also means selecting, deploying, configuring and maintaining the appropriate technological measures and techniques to that effect.
Today’s publication follows that goal by providing an analysis of possible strengths of techniques in several areas including anonymisation, data masking, privacy preserving computations, storage, transparency and user control tools.
Scope of the report
The report is designed to help assess the most relevant techniques depending on each processing operation and based on the need of the data controller by providing strengths and possible limitations.
Traditional security techniques such as access control and privacy preserving storage are being discussed in addition to novel concepts such as synthetic data which introduce new opportunities and challenges.
The report underlines the importance of policy guidance and the ability to demonstrate compliance and provide assurance to end-users.
ENISA is currently setting up an Ad Hoc Working Group in the area of Data Protection Engineering. The call for expression of interest is open until 15 February 2022 12:00 noon EET (Athens time zone). The role of the group will be to support the analysis of available or emerging technologies and techniques in the area in order to identify and highlight good practices and innovative security techniques.
Background
The General Data Protection Regulation (GDPR) addresses the risks associated with the processing of personal data. The regulation intends to reinforce individuals’ rights in the digital era and enable them to better control their personal data online. At the same time, modernised and unified rules will allow businesses to make the most of the opportunities of the Digital Single Market (DSM) also benefiting from increased consumer trust.
To this end, ENISA looks into the solutions offered by Privacy by design as a fundamental principle of embedding data protection safeguards at the heart of new electronic products and services. An example is Privacy Enhancing Technologies (PETs) that can support privacy integration in systems and services. ENISA also engages in different analyses of other security measures in relation to cryptographic protocols or online and mobile data protection among others.
Further Information
ENISA Report – Data Protection Engineering
ENISA webpage on Data Protection
ENISA Annual Privacy Forum 2022 (APF 2022)
ENISA Report – Data Pseudonymisation: Advanced Techniques and Use Cases