CSA CCM DSP-08
Data Privacy by Design and Default

Data privacy should be a core consideration when designing systems, products, and business practices. Default privacy settings need to align with all relevant laws and regulations. By embracing privacy by design, organizations can foster a culture of data protection that meets compliance obligations and customer expectations.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10, released on 2023-09-26. You can download the full matrix here. The matrix provides a comprehensive set of security controls specifically designed for cloud computing environments. For more general privacy by design principles, refer to the 7 Foundational Principles defined by Ann Cavoukian.

Who should care?

  • System architects designing new applications that process personal data
  • Product managers defining roadmaps and requirements for cloud services
  • Executives and legal counsel responsible for ensuring regulatory compliance
  • Developers implementing technical controls to enforce privacy settings

What is the risk?

Failure to consider data privacy upfront can lead to embarrassing and costly data breaches. Personal information may be inadvertently exposed due to misconfigured access controls or overly permissive default settings. This can result in reputational damage, customer loss, and hefty fines from increasingly strict privacy laws like GDPR and CCPA. Privacy-related vulnerabilities discovered late in the development lifecycle are far more expensive to fix.

What's the care factor?

Privacy should be a top concern for any organization collecting or processing personal data in the cloud. Major breaches continue to make headlines and heighten public awareness. Regulators are cracking down with record-breaking fines. And customers are becoming more selective about whom they trust with their information. While the risks and priorities will vary based on data sensitivity and applicable laws, every organization should have a baseline privacy-by-design practice in place.

When is it relevant?

Privacy by design is most effective when applied consistently across the entire data lifecycle - from initial collection through to final deletion. It's especially critical for new systems or major architecture changes. The principles are less relevant for legacy applications with established controls, or systems that don't handle personal data. Even then, it's beneficial to retroactively assess configurations against current standards.

What are the trade-offs?

Designing for privacy does require some upfront planning and effort. Architects need to carefully model data flows. Developers need to implement granular access controls and privacy-enhancing features. All of this takes time and may impact delivery schedules. Restrictive default configurations can negatively impact usability if not thoughtfully designed. And there will inevitably be some performance overhead for features like data encryption. However, these costs are generally far outweighed by the risk reduction benefits.

How to make it happen?

  1. Define organizational privacy policies aligned to legal obligations and risk appetite
  2. Incorporate privacy impact assessments into architecture and design processes
  3. Use data flow diagrams to map out collection, usage, storage, and sharing
  4. Implement strict access controls with role-based permissions
  5. Configure default settings to be as restrictive as possible while still allowing required usage
  6. Provide transparency to users about data practices and their privacy rights
  7. Ensure privacy policies and settings apply to sub-processors and third parties
  8. Leverage automation to continuously assess systems for compliance with baseline configurations
  9. Require privacy training for all developers handling personal data
  10. Implement breach detection and incident response procedures to quickly identify and contain exposures

What are some gotchas?

  • Complex or dynamic data supply chains can make it difficult to assess compliance of downstream processors
  • Privacy regulations vary widely across jurisdictions and may have overlapping or conflicting requirements
  • Internal resistance to restrictive default settings is common and needs to be proactively managed
  • Permissions for developers to modify privacy-related settings should be tightly controlled via IAM policies like secretsmanager:GetSecretValue
  • Retrofitting legacy applications can be prohibitively expensive compared to greenfield deployments

What are the alternatives?

Many privacy regulations allow for alternative compliance mechanisms such as Binding Corporate Rules or Standard Contractual Clauses. These place more reliance on legal agreements and processes rather than technical design. However, by design is generally seen as the gold standard, especially for cloud-native architectures.

Explore further

Let me know if you have any other questions! Designing for privacy is a complex topic but well worth the effort.

?

Blog

Learn cloud security with our research blog