Maksim Kabakou - Fotolia
Security Think Tank: Building privacy-preserving apps and platforms
ISACA’s Gaurav Deep Singh Johar explores how to embed privacy practices into digital platform architecture
Digital applications and platforms have become an essential feature for organisations, even more so since the onset of the Covid-19 pandemic and subsequent restrictions imposed on the public.
Organisations are moving swiftly towards building next-generation digital platforms to fuel digital sales and services, and these platforms are supporting all areas: sales, marketing, customer acquisition and service, product delivery, as well as a variety of internal functions.
As more services go digital, data privacy has become an important aspect for organisations, not only to uphold customer and employee trust, but also to ensure they comply with various local and international laws.
Let us understand digital platform architecture and how privacy practices need to be embedded. A digital platform is composed of the following layers:
- Enterprise gateway to connect to the internet and authenticate users.
- Presentation layer to present the applications to users.
- Integration layer to channelise service calls.
- Application layer to offer business applications and services.
- Data layer to record and retrieve master data elements and transactions.
Given the complexity of architecture and multiple data trajectories that are hosted by any modern digital platform, preserving the privacy and security of data throughout the data lifecycle – data acquisition, data storage, data manipulation, data processing, data transfer and data disposal – becomes a complex task.
Therefore, cross-functional expertise of privacy, information security, architecture, digital, data and technology risk professionals are needed to assess the effectiveness of privacy controls while these systems are designed. Also, there needs to be documentation around what data is being collected through digital platforms, why it is needed, and how it will be treated and preserved in the organisation.
The privacy by design concept is needed to ensure that privacy practices are built right from the conceptualisation phase and are carried out throughout the lifecycle of digital application development and operations. ISACA’s Privacy in practice 2021 report provides good insights on how privacy concepts need to be built from the start of engagements and what kinds of skillsets are needed to build such a practice.
For example, one of the survey findings was that “enterprises consistently using privacy by design are nearly two-and-a-half times more likely to be completely confident in the ability of their privacy team to ensure data privacy and achieve compliance with new privacy laws and regulations”.
When assessing the privacy controls around the design and development of digital platforms, risk professionals should evaluate the following areas (not an exhaustive list):
- What data elements are captured via the digital platform? For example, customer or employee personally identifiable information (PII), biometrics, behavioural or financial data.
- Can we minimise the data elements being requested through the digital apps unless necessary?
- Do the apps collect device-unique identifiers unless they are necessary for the app functioning?
- Is there data sharing or deep linking between different apps?
- Ensuring no PII data is stored in application logs unless necessary and building controls for timely deletion of the same.
- What controls are built around accessing sensitive information stored in the digital library?
- Will customer data be used for system training purposes, or would there be use of any artificial intelligence (AI) or machine learning (ML) capabilities?
- Will application testing be performed on synthetic data to ensure customer privacy?
- How would customer/employee consent be captured and is the consent language making them aware of the possible usage of their data?
- What controls are designed to ensure data deletion upon reaching the end of its retention period or withdrawal of customer consent?
- What monitoring and logging controls are built in to ensure timely identification and reporting of privacy breaches?
- Do we have third-party contractual language mandating privacy requirements whenever data is exposed externally?
While the above controls are illustrative, a detailed assessment is needed in the system design phase or whenever further expansions or changes are planned around digital applications. In addition to the design and development phases, privacy controls need to be exercised throughout the core architecture and functionality of the platform so that it is ingrained in depth during the operation of these mobile platforms.
As we are living in the digital era, privacy has become an important pillar for building secure digital platforms and there is no one-size-fits-all approach. To get it right the first time, organisations need to account for all key components – having well-defined privacy policies and controls, inclusion of qualified privacy and risk professionals, training and awareness for the project teams, building privacy language into third-party contracts and having a sound incident management process to handle any possible privacy breaches.
As they say, privacy is a journey, not a destination. Organisations have started their journey to build privacy into their digital offerings.
Gaurav Deep Singh Johar, CISA, CISM, CRISC, CDPSE, is a member of ISACA’s Emerging Trends Working Group. Currently based in Toronto, Canada, he works as a digital technology risk officer at a large financial services organisation.