Building applications and platforms that preserve privacy
Digital applications and platforms have become essential for organizations, especially since the start of the Covid-19 pandemic and subsequent restrictions on the public.
Organizations are rapidly moving towards creating next-generation digital platforms to power digital sales and services, and these platforms support all areas: sales, marketing, customer acquisition and service, product delivery, as well as a variety of internal functions.
As more and more services go digital, data confidentiality has become an important aspect for organizations not only to maintain the trust of customers and employees, but also to ensure that they comply with various local and international laws.
Let’s understand the architecture of the digital platform and how privacy practices need to be integrated. A digital platform is made up of the following layers:
- Company gateway to connect to the Internet and authenticate users.
- Presentation layer to present applications to users.
- Integration layer to channel service calls.
- Application layer to offer business applications and services.
- Data layer to record and retrieve master data items and transactions.
Given the complexity of the architecture and the multiple data trajectories hosted by any modern digital platform, the preservation of data privacy and security throughout the data lifecycle – data acquisition, storage data handling, data manipulation, data processing, data transfer and data disposal – becomes a complex task.
Therefore, cross-functional expertise of privacy, information security, architecture, digital, data and technology risk professionals is needed to assess the effectiveness of privacy controls during the design of these. systems. In addition, there must be documentation on the data collected through digital platforms, why it is needed and how it will be processed and stored in the organization.
The concept of privacy by design is necessary to ensure that privacy practices are established from the conceptualization phase and are implemented throughout the lifecycle of digital application development and operations. ISACA Privacy in practice 2021 report provides good information on how privacy concepts should be constructed from the start of engagements and what types of skills are needed to develop such a practice.
For example, one of the survey results was that “Companies that consistently use privacy by design are almost two and a half times more likely to be completely confident in their privacy team’s ability to ensure privacy. data confidentiality and to comply with the new confidentiality rules. laws and regulations ”.
When assessing privacy controls around the design and development of digital platforms, risk professionals should assess the following areas (non-exhaustive list):
- What data elements are captured through the digital platform? For example, personally identifiable information (PII) of a customer or employee, biometric, behavioral or financial data.
- Can we minimize the data items requested through digital applications unless necessary?
- Do apps collect unique device identifiers, unless they are needed for the app to work?
- Is there data sharing or deep links between different applications?
- Ensure that no PII data is stored in the application logs unless necessary and create controls for the rapid deletion of these.
- What controls are built around access to sensitive information stored in the digital library?
- Will customer data be used for system training purposes, or would artificial intelligence (AI) or machine learning (ML) capabilities be used?
- Will application testing be performed on synthetic data to ensure customer privacy?
- How would client / employee consent be collected and does the language of consent make them aware of the possible use of their data?
- What controls are designed to ensure that data is deleted at the end of its retention period or that customer consent is withdrawn?
- What monitoring and logging controls are built in to ensure the timely identification and reporting of privacy breaches?
- Do we have third-party contractual language imposing privacy requirements whenever data is exposed externally?
Although the above checks are illustrative, a detailed assessment is necessary in the design phase of the system or whenever new expansions or modifications are planned around digital applications. In addition to the design and development phases, privacy controls should be exercised throughout the platform’s core architecture and functionality so that they are deeply embedded when operating these platforms. -mobile shapes.
As we live in the digital age, privacy has become an important pillar for the creation of secure digital platforms and there is no one-size-fits-all approach. To get it right the first time, organizations need to consider all key components – having well-defined privacy policies and controls, the inclusion of trained privacy and risk professionals, training and awareness raising. project teams, the integration of a confidentiality language in third-party contracts. and have a strong incident management process to handle any possible breach of privacy.
As they say, privacy is a journey, not a destination. Organizations have started their journey to embed privacy into their digital offerings.
Gaurav Deep Singh Johar, CISA, CISM, CRISC, CDPSE, is a member of the ISACA Emerging Trends Working Group. Currently based in Toronto, Canada, he works as a digital technology risk manager at a large financial services organization.