Insights European Union Agency for Cybersecurity publishes new report on data protection engineering

ENISA explains that the evolution of technology has given rise to new techniques to share, process and store data. These new technologies have often been introduced without a prior assessment of the impact on privacy and data protection while new threats and attack vectors have introduced additional challenges.

ENISA says that its new report takes a broader look into data protection engineering to support practitioners and organisations. It seeks to help them with the practical implementation of the technical aspects of data protection by design and by default.

Data protection by design has been a legal obligation since the GDPR came into effect in 2018. The concept is often associated with the use of specific Privacy Enhancing Technologies (PETs). However, it also extends to various technological and organisational components meant to implement data protection principles. Engineering those principles into practice not only means integrating them into the design of the processing operation but also selecting, deploying, configuring and maintaining the appropriate technological measures and techniques to that effect.

ENISA’s report provides an analysis of possible strengths of techniques in several areas including anonymisation, data masking, privacy preserving computations, storage, transparency and user control tools.

The report is designed to help assess the most relevant techniques depending on each processing operation and based on the need of the data controller by providing strengths and possible limitations.

Traditional security techniques such as access control and privacy preserving storage are discussed in addition to novel concepts such as synthetic data which introduce new opportunities and challenges.

The report underlines the importance of policy guidance and the ability to demonstrate compliance and provide assurance to end-users.

ENISA is currently setting up an Ad Hoc Working Group in the area of Data Protection Engineering. Applications for the Ad-Hoc Working Group on Data Protection Engineering can be made until 15 February 2022 12:00 noon EET (Athens time zone). The role of the Group will be to support the analysis of available or emerging technologies and techniques in the area in order to identify and highlight good practices and innovative security techniques. For a link to ENISA’s report and to apply for membership of the Ad-Hoc Working Group, click here.