Privacy by design a cornerstone of data protection compliance programs
In a connected laboratory, data privacy considerations are particularly relevant. Connected devices power innovative research, cognitive computing, machine learning, and artificial intelligence. In many cases, these devices also capture and share personal information. This increases the risk of using information about people in a way that’s not compliant with the law or with people’s expectations.
Companies supporting the connected lab must take data protection seriously. To partner effectively with global organizations, device manufacturers must commit to their General Data Protection Regulation (GDPR) compliance responsibilities and continue to develop and maintain data protection compliance programs intended to address the requirements of the GDPR and global privacy laws.
Developing data protection compliance programs
Leading providers of connected devices must ensure their processing activities and those of their partners and suppliers adhere to standards imposed by applicable global data protection and privacy laws, including the GDPR, and that their products and services support customers’ GDPR compliance efforts.
Effective data protection compliance programs typically address the following best practices:
- Maintain policies, procedures and protocols to help ensure we only process personal data lawfully, fairly, transparently and in accordance with other privacy standards set forth in the GDPR;
- Focus on selection of vendors that have implemented robust data protection measures and will execute appropriate data processing agreements with them;
- Implement procedures and protocols to give effect to data subject rights and comply with relevant requirements under the GDPR as appropriate;
- Perform data protection impact assessments for data processing activities as required;
- Design our products, services and internal systems with data privacy principles in mind (privacy by design and by default); and
- Implement and maintain reasonable and appropriate technical, physical and organizational security measures to protect the data that we process.
Once implemented, organizations committed to meeting their data protection responsibilities must constantly maintain and improve their data protection compliance programs.
Privacy by design principles
When developing the devices used in a connected laboratory, a Privacy by Design approach helps ensure that the processing of any personal information complies with law. When processing data, all members of the device manufacturer’s workforce must consider the potential risk of harm to individuals and the reasonableness of processing of data for which they are responsible. The Privacy by Design procedures are based on the following principles:
- Data minimization and privacy by default – Configure/design systems, process and solutions so only the minimum necessary personal information is collected and processed, accessed, disclosed, etc. Develop/configure settings limiting the access to and/or sharing of personal information.
- Privacy by design for correction, updates and searching – Include functionality to correct and update personal information where necessary to ensure ongoing data quality. Include functionality to search and extract personal information relating to specific individuals.
- De-identify personal information where appropriate – Include functionality to de-identify (or delete) personal information when it is no longer needed in relation to the identified purpose.
- Security by design – Implement technical and organizational security measures appropriate to the privacy risk posed by the processing of particular personal information, including consideration of the use of encryption and/or pseudonymization, and the ability to continue to update and improve these measures when necessary.
An essential component of a successful data protection compliance program, device manufacturers must build Privacy by Design principles into the software development lifecycle for all connected devices. The goal is ensuring individuals can exercise their rights to privacy in accordance with GDPR and global privacy laws.
Tess McCarthy is Senior Manager, Cybersecurity Resilience & Culture, Corporate Information Security (CIS) Program at Thermo Fisher Scientific.