How to determine that the user or consumer requirements for data privacy are embedded into the design, build, integration, test, and release of a new product or service?
What are the indicators in the product or service development and operation lifecycles that assure information confidentiality, process integrity, system availability, data privacy, and user safety?
The project sponsor, owner, manager, team, and relevant external stakeholders are obligated to implement the statutory and regulatory requirements and adopted international standards on consumer protection, data privacy, and information security in the “user story” of the product requirements, and acceptance criteria of a minimum viable product relating to the customer or consumer.
The project organization as a whole is expected to have a clear, common, coherent, complete, and consistent understanding of data privacy requirements as specified in the published regulations and international community-driven standards.
The Data Protection Officer guides the project organization to determine, describe, document, and demonstrate the product or service, that is by design and by default conforms to the valid and verifiable principles and practices of protecting the privacy of personal data, and of securing the confidentiality, integrity, and availability of personal information.
The actionable, acceptable, and auditable guidance to support the capture, analysis, evaluation, and implementation of the right things to do in embedding data privacy and information security in the project, starts with establishing the normative references for the common question of understanding the performance requirements.
1. Governance of information security
-ISO 27014 Governance of Information Security
2. Data privacy requirements in the system development life cycle
-ISO 27550 Privacy Engineering for System Life Cycle Processes
3. Data privacy impact assessment of the project
-ISO 29134 Guidelines for Privacy Impact Assessment
4. Risk management information security
-ISO 27005 Information Security Risk Management
5. Product or service data privacy requirements for consumer protection
-ISO 31700 Privacy by Design for Consumer Goods and Services
6. Data privacy framework and data privacy processing principles
-ISO 29100 Privacy Framework
7. Information security controls of data privacy protection
-ISO 27002 Information Security Control
8. Information security management system processes
-ISO 27022 Guidance on information security management system processes
9. Privacy notification and consent requirements
-ISO 29184 Online Privacy Notices and Consent
10. Processing identity information
-ISO 24760 A Framework for Identity Management
11. Securing the network of personal information processing
-ISO 27033 Network Security
12. Securing the storage of personal information processing
-ISO 27040 Storage Security
13. Securing the application of personal information processing
-ISO 27034 Application Security
14. Securing cloud computing of personal information processing
-ISO 27017 Cloud Security
15. Data privacy in cloud computing
-ISO 27018 Cloud Privacy
16. Information security in supplier relationship
-ISO 27036 Supplier Relationship
17. Handling of a security incident
-ISO 27035 Information Security Incident Management
18. Handling discovery of stored electronic evidence of the breach
-ISO 27050 Electronic Discovery
The ability to identify, analyze, map, and apply international community-driven standards is critical in capturing the valid user story associated with the data privacy and information security requirements of the project’s minimum viable product in engaging the customer or consumer.
Documented guidance on the right things to do, and to do the right things the first time right in the integration of data privacy and information security in the digital development project, is enabled by the project organization’s direct access to globally recognized and implemented regulations and practice standards.
A government agency leading the development and deployment of digital products and services that involves the processing of personal information is by default communicating and implementing the adopted international standards pertaining to the laws, rules, and regulations on data privacy, information security, and cybersecurity. That is, if the EO 605-2007 policy on quality management system standards in government, and the implementing rules and regulations of R.A 10173 are complied with by the government agency.
The person or entity on security and privacy governance and management controls what they know, and they fail with what they omit to know.
The vendor-promoted security and privacy requirements find validity in rules and standards.
The acting of data privacy compliance rests on fully informed “data subject,” “personal information controller,” and “personal information processor” as to what composes personal data.
And what the accountability and responsibility in upholding data privacy rights and principles to compose the shared understanding of what the workplace needs to respect.
1. What is being protected by data privacy and information security rules and standards?
2. When does a business system, process, or technology violates the privacy of personal data, and makes the data subject to exercise the right to complain?
3. What are the privacy and security control indicators that determine personal data protection and privacy in the observed system, process, or technology of personal data collection, transmission, retention, use, disclosure, sharing, and disposal?
4. How to assess the impact of system, process, or technology on data privacy and information security?
5. What are the key result areas, capability requirements, and performance indicators that compose the compliant and efficient data privacy and security management system?
A person or entity with the knowledge to protect the privacy of personal data and to enforce the exercise of privacy rights has to communicate with clarity, coherence, and completeness the view of rules and standards on the following components of the action.
1. Roles
2. Data
3. Process
4. Policy
5. Network
4. Application
6. Storage
7. Security
8. Supplier
jmlogic: Knowledge & Technology 