What Devs Need to Do to Protect PII, part 2

In the previous article, I described the importance of protecting PII. So GDPR applies to everyone who works with or collects user's data, whether it's a pet project or a large business. Here are some best practices thats developers can follow to safeguard PII and achieve GDPR compliance.

1. Make audit and document PII usages

Before diving into technical aspects, need to understand what PII is and the key principles of GDPR. Make sure that key people in your organization (not just in the IT department) appreciate the importance of GDPR and compliance with it. Begin by documenting all personal data you hold, its sources, and the parties you share it with. Conducting an information audit may be necessary to achieve this. This process will help you comprehend how to segregate and store data at different levels of sensitivity. At a minimum, define three levels of data classification: restricted, private, and public.

2. Minimize PII storage & usage

It's simple here. Collect only PII you really need. Limiting data collection not only reduces potential risks associated with data breaches but also aligns with GDPR's principle of data minimization.

3. Describe and Implement Data Privacy Policy

Obtaining clear, explicit, and informed consent from users before processing their PII is a crucial aspect of data privacy. To achieve this, design user-friendly interfaces that facilitate consent management, allowing users to easily withdraw or modify their consent choices. Also it is important to provide transparent information on how their data will be used and offering granular control over their consent preferences, and users can make informed decisions about their data sharing preferences.

Engineers should create mechanisms that enable users to exercise their rights under GDPR. This includes the right to access, update, delete, and restrict the processing of their personal data, as well as the right to data portability. At the same time, needs to define a clear data retention policy with tech solution, and securely delete all PII when user will request it, it is no longer needed or when the retention period has ended.

4. Restrict access to PII sources (API, DB)

Implement access control policies based on least privilege and role-based access control and ensure that only authorized users have access to PII. Developing an Acceptable Use Policy (AUP) clarifies who is permitted to access PII and outlines the appropriate practices for handling such data.

It is equally important to control access not only to databases, but also to messaging topics, and APIs. A common mistake here is a API with filter that allows to select any PII data without checking access to it (GraphQL). APIs rate limits and consistently monitoring APIs usages can help prevent mitigate data leaks.

5. Encrypt and Secure PII Handling

Identifying where PII is stored is a critical step in securing sensitive data. PII could be stored in various locations, such as servers, cloud platforms, or even employee laptops. Remember to consider the three data states: data in-use, at-rest, and in-motion. It will help you better understand the systems you need to protect. Take a look at these tips:

1. Implement strong encryption algorithms for data at rest and in transit. Use industry-standard methods like AES for encrypting stored data and secure communication protocols like HTTPS or TLS for data transmission. Adopt secure coding practices to prevent common vulnerabilities and ensure the confidentiality, integrity, and availability of PII.
2. Adhering to international standards for storage security, such as ISO/IEC 27040, is crucial. This standard calls for physical, technical, and administrative controls to protect storage systems, infrastructure, and the data stored within them.
3. One effective and emerging method for protecting PII is using a PII vault. A data privacy vault offers a sophisticated approach to data management, enabling you to securely store sensitive data within your environment and making it easily accessible only to verified users and applications. Vaults also encrypt/tokenize your data, making it unreadable to outsiders who may try to intercept it while it's at rest or in motion.
4. Be sure to mask PII when it serves a non-functional purpose, such as PII data in logs. Log storage can be a weak spot, as it contains a detailed record of the data applications collect, share, and generate. Although it is not a best practice, log files sometimes contain PII information associated with logins, user profiles, and other sensitive data.

6. Create standards and processes

• Breach notification. In line with Article 33 of the GDPR, develop a breach notification procedure to ensure timely reporting of any data breaches. This process should include the identification, assessment, and notification of breaches within the stipulated 72-hour window, as well as the implementation of appropriate measures to mitigate the impact of such incidents.
• Vulnerability report. Encourage a security-conscious culture within your organization by providing an easy way for employees to report suspicious behavior or potential threats. Establishing clear channels for reporting and promoting a proactive approach to security can contribute to early detection and prevention of data breaches.
• Departing processes. When employees depart from the organization, have a clear process in place to revoke their access to sensitive data, systems, and applications. This measure helps to minimize the risk of unauthorized access or misuse of PII.
• Vendor Management. Finally, manage your vendors effectively by conducting thorough due diligence and risk assessments before entering into contracts. Continuously monitor vendor compliance with data protection regulations and security standards to ensure that PII remains protected throughout the supply chain.

7. Make security training regularly

Self-Educate and Educate your development team on data security and privacy best practices. Regular training helps maintain awareness and fosters a culture of data protection within your organization. Just use some of these platforms: cybrary, pluralsight or coursera.