A Glossary of
Security and Data Privacy Terminology
What is Static Application Security Testing [SAST]?
Static Application Security Testing (SAST) is a vulnerability scanning technique focusing on source code, bytecode, or assembly code. In general, static program analysis recommends program behavior by analyzing its source code without running it.
The code is the focus of static application security testing (SAST). It runs early in the CI pipeline and scans the source code, bytecode, or binary code for coding patterns that violate best practices and may cause problems. SAST tools are designed to assist developers in writing more secure code by detecting suspicious builds, unsafe API usage, and dangerous runtime errors early on.
SAST tools scan your code for security flaws, such as saving passwords in plain text or transmitting data over an unencrypted connection. They then compare it to best practices standards to recommend how to fix it.
Privacy, Data Security, and SAST
Data protection laws require data privacy must be integrated into the system from beginning to end.
This is known as "Privacy by Design," It is a legal requirement under the GDPR (GDPR Article 25) for you to implement appropriate technical and organizational measures to enforce data protection principles and effectively protect individual rights.
The Privacy by Design approach emphasizes proactive rather than reactive measures. This entails foreseeing and preventing breaches of confidentiality before they occur and taking action rather than waiting for privacy threats to manifest.
Fair, transparent, and lawful processing are the cornerstones of data protection laws, and any vulnerabilities in your code during or after production can jeopardize the standards of these principles. Static analysis can be a very effective tool for "baking" data protection into your processing activities and business applications from the beginning of the design process. It ensures that the system is powerful to begin with.
This is why Static Application Security Testing can be used not just as a way to test software but also to ensure it is safe and protected by design.
However, static analysis techniques differ; not all test the same things in the system. You can create rules that ensure software builds are safe and use static analysis as an accurate preventative measure during code analysis with the right static analysis technique.
With Static Application Security Testing (SAST), you can identify problems before anything is checked out during the development phase. SAST can run on source code; it can pinpoint the exact location of a vulnerability. This increases the effectiveness of finding and fixing them.
Since SAST tools apply all of their rules to your codebase, which depends on vast guidelines database, they can detect security vulnerabilities you didn't even know existed.
What is Code Scanning?
Code scanning is one of the tools used to identify potential security issues within an application. Code scanning tools examine the code in your application's current iteration, inspect the code for bugs and vulnerabilities, and provide a summary of the findings which can sometimes be displayed on a dashboard.
Code scanning identifies potential issues developers should address before proceeding with the application development process. This will enable you to address them quickly and increase the security of your application.
Detecting vulnerabilities in an application before it enters the production phase can significantly reduce the risk of security errors and the cost and difficulty of fixing them.
Do you need Code Scanning?
Code scanning is an integral part of an organization's application security program and is essential for regulatory compliance.
According to GDPR, organizations must now determine whether their applications process personal data and take organizational and technical measures to keep this personal data safe. (GDPR Article 32)
For example, If you have multiple central databases accessed by many applications, it will not be sufficient to identify the databases simply; a code scan must be performed at the application level.
Applications can process personal data without a database as well. For instance, a piece of source code can read, process, and share data, and this data might be personal data with other components combined. Even if these data are not considered personal data on their own, they can become personal data if combined with other data. (GDPR Article 4.1)
Is your code privacy compliant?
If your code runs a script that reads personal data and creates various security vulnerabilities, you won't be able to detect it without scanning the code. Code scanning allows you to identify, categorize, and prioritize fixes for existing bugs in your code.
In any investigation following a data breach, submitting code scan results and a report classifying and prioritizing the errors you've identified and the precautions you've taken will demonstrate that you've taken responsibility for securing the data seriously and handled it with care.
This can save you from hefty regulatory penalties and reputation damage.
Code Scanning Approaches
Static Analysis Security Testing (SAST) of the application source code detects application vulnerabilities by modeling its execution state and applying rules based on common code patterns.
Dynamic Application Security Testing (DAST) uses a library of known attacks on the application to detect vulnerabilities. DAST identifies application vulnerabilities by testing its response to unusual or malicious inputs.
Interactive Analysis Security Testing (IAST) uses instrumentation to view an application's inputs and outputs in the execution state. This runtime visibility enables it to detect unusual behavior that may indicate application vulnerabilities.
Due to the difficulty of later creating and distributing software patches, fixing vulnerabilities in a deployed application will be expensive and time-consuming.
Production-related vulnerabilities will make your application vulnerable, implying that your product is not secure or meets the expectations of security standards and related regulations. With code scanning, you can take immediate action and fix these vulnerabilities.
What is Data Protection Impact Assessment [DPIA]?
DPIA is a process that helps organizations identify and mitigate privacy risks.
The objective of a DPIA is to investigate potential problems in advance so that they can be mitigated, thereby decreasing the likelihood of their occurrence and associated costs. Following that, organizations can take appropriate steps to mitigate and manage identified risks.
GDPR requires a Data Protection Impact Assessment (DPIA) when introducing new data processing processes, systems, or technologies. (GDPR Article 35)
DPIAs are critical for meeting the requirements for "data protection by design" and "data protection by default" as they help demonstrate compliance with data protection principles and the accountability principle. (GDPR Article 5.2, 25)
Conducting DPIAs before implementing or launching a new project involving the processing of personal data can help avoid non-compliance, the potential costs of a claim, and associated reputational damage.
When to do it?
GDPR requires DPIAs to be conducted 'prior to processing.' Therefore, organizations must ensure that no new projects are initiated before a DPIA is considered and, where necessary, conducted. As a result, determining whether a DPIA is required should be done early on as part of project management procedures.
Do I need a DPIA?
Ask yourself: Are you a controller or processor?
The controller is responsible for performing a DPIA.
Processors involved in relevant processing activities are required to assist under their contract with the controller, but they are not required to conduct DPIAs directly.
Ask yourself: What are the nature, scope, context, and purposes of the processing?
A DPIA is mandatory only if there is a high risk to data subjects' rights and freedoms or if otherwise required by law. (GDPR Article 35)
GDPR lists four situations requiring a DPIA:
1) A systematic and extensive evaluation of personal aspects of natural persons based on automated processing, including profiling, that would have legal or other significant effects on the persons.
2) Large-scale processing of special categories of data (Article 9.1) or personal data relating to criminal convictions and offenses (Article 10).
3) Systematic, large-scale public area monitoring.
4) Any processing on a list published by your competent supervisory authority or the European Data Protection Board.
This is a non-exhaustive list, and there are numerous data processing activities. Examples are provided in the list published by the EDPB (ex-data protection working party) Guidelines (Reference Below). Thus, it is essential to determine if your personal data processing activities fall into one of these categories.
You should consult with a DPO to identify these activities, as they should have the necessary experience and expertise.
If you do not have access to a DPO, you may contact the supervisory authority instead.
How to conduct DPIA?
Under Article 35(7) of the GDPR and the ICO's Code of Practice, the following steps must be taken:
1-Explain data processing activities and processing purposes
2-Assess the necessity and proportionality of the processing activities in relation to the purposes
3-Evaluate data protection risks
4-Identify measures to address risks
Even if a DPIA is not required for proposed processing activities, organizations must ensure that all proposed activities involving personal data adhere to GDPR principles.
After the DPIA:
Documenting agreed solutions is an essential part of the DPIA process.
Findings will need to be communicated internally, and a plan should be agreed upon on how the proposals will be integrated into the project. Additionally, it will be important to follow up with the project team to ensure the agreed-upon changes are implemented and have the desired impact. Completed DPIA can also be used as a post-implementation tool for future data protection audits and updates to DPIA.
In conclusion, DPIAs should be considered whenever new technologies or processes involving the collection, use, and sharing of personal data emerge or when significant changes are made to existing data processing activities, even if only a portion of these projects are required to conduct a DPIA under the GDPR.
Guidelines on Data Protection Impact Assessment (DPIA) and determining whether the processing is "likely to result in a high risk" for the purposes of Regulation 2016/679-DATA PROTECTION WORKING PARTY- https://ec.europa.eu/newsroom/article29/items/611236
What is Privacy Impact Assessment [PIA]?
Privacy Impact Assessments are used to determine the level of risk that your processing activities pose to individuals' rights and freedoms. Based on the results of this survey, you assess the project's privacy risks and implement appropriate mitigation measures and controls.
In short, PIA is a process that helps organizations identify and minimize the privacy risks of new projects or policies.
How is it different from Data Protection Impact Assessment?
While these terms are frequently used interchangeably, the term DPIA is clearly defined in the GDPR and includes specific elements (specified in article 35) that must be captured when a DPIA is conducted.
While Data Protection Impact Assessment is a legal requirement that is not always mandatory, all organizations that process personal data should have privacy impact assessment integrated as a valuable organizational practice.
While DPIA should be kept in a GDPR-compliant format, PIA can be kept in a more flexible format. A brief risk analysis or survey can be used as an example of privacy impact assessment and can be used to determine whether DPIA is required.
PIAs are practical tools for identifying privacy risks and accelerating an organization's ability to manage data privacy and privacy processes.
How to do PIA?
PIA can be all-encompassing as it is a flexible process that must consider the balance between the risks and benefits of the processing activity.
Some laws in the United States may require you to conduct a PIA, and in that case, it should be considered that each state's laws and practices and PIA requirements must be addressed separately. PIA is not directly mentioned in GDPR.
For example, the California Privacy Rights Act (CPRA) establishes a fairly broad threshold for performing a PIA.
Data controllers must balance the risks and benefits of the processing activity and include context, the relationship between the controller and the consumer whose personal data will be processed, reasonable consumer expectations, and anonymized data in their PIAs. It is important that PIAs do not become pointless box-checking exercises.
Using a concise set of screening questions to determine the extent to which a PIA is required can help prioritize projects and maximize the use of limited resources. PIAs can also be used as auxiliary tools in the development of DPIAs.
You can automate this process by requiring project teams to describe their proposed data processing activities at a high level and answer a few key screening questions online.
For those who want to focus on the DPIA requirements of the GDPR, you can limit the screening questions to the high-risk areas defined in the GDPR, ICO lists, and related guidance.
In addition to screening questions, it is advantageous for the project kickoff documents to request fundamental information about the project context and participants. This information can serve as the foundation for descriptions of processing activities, consultations with interested parties, and risk assessments.
What is Data Mapping?
As the name suggests, data mapping is a term for mapping the journey of data in an organization. It helps organizations visualize how data moves or flows within the organization.
The GDPR requires businesses to manage and secure their customers' data fairly and securely. Applying any form of security without thoroughly understanding the data lifecycle is difficult. That is why data mapping is a critical step toward GDPR compliance.
Data Mapping is all about tracking data from its origin to its destination within an organization to ensure its security, and you can visualize the data flow by asking the following questions about data management processes:
WHY do you process data?
WHAT data do you process?
WHERE do you store data?
WHO has access to your data?
HOW does data flow in your organization?
HOW do you collect data?
Organizations must understand what data they are collecting, how they are using it, and with whom they share it to improve their data privacy safeguards and ensure regulatory compliance.
This is also the key first step for an audit function.
Do I need to do Data Mapping?
Data mapping is NOT mandatory but a pillar to build a robust data privacy program.
As you may recall, if you process personal data, you are usually required by the GDPR to keep formal, documented, comprehensive, and accurate RoPA (Article 30), and in fact, ROPA is expected to be based on a data mapping exercise.
Data Mapping allows you to identify data assets and associated risk levels and define their categories and intended uses.
With data mapping, you can classify and evaluate your data based on risk levels, allowing you to make the necessary investments to reduce your business risks while utilizing your resources most efficiently.
Key requirements of Data Mapping
- Record processing activities in electronic form so you can easily add, remove, and amend data.
- Check the records against processing activities, policies, and procedures regularly to ensure that they are accurate and up to date, and assign clear responsibilities for data mapping processes.
- For data minimization purposes, review your processing activities and data types regularly.
Healthy practices to maintain a data map
- Use a well-designed and easy-to-follow questionnaire.
- Identify key resources and stakeholders.
- Review related business policies and documents.
- Review, revise and update data maps regularly to ensure accuracy.
Data Mapping beyond compliance
Taking an inventory of your information improves your information management while complying with other areas of data protection regulation, such as creating a privacy statement and securing personal data. It is a simple way to demonstrate that you follow the principle of accountability, showing data protection authorities how you handle data in your organization when necessary.
Data Mapping is not just a compliance issue; it is strategic and allows you to manage your business risks. Since your data processing activities will be progressing regularly with Data Mapping, you will be able to avoid time and resource waste in your future data processing activities.
With data mapping, you will have a well-structured data management framework, defined and classified data, the ability to apply the appropriate data security level, and the ability to do effective risk management beyond compliance.
What is Privacy by Design [PbD]?
Privacy by Design refers to a software development approach that considers privacy concerns from the beginning of the design process. It is the process of ensuring that all personal data collection, processing, storage, and destruction measures are designed to protect privacy.
Privacy by Design is all about "baking" data protection into your processing activities and business applications at the design stage. Under the GDPR, it is a legal requirement for you to implement appropriate technical and organizational measures to enforce data protection principles and protect individual rights effectively.
This is called "Data protection by design and by default." (GDPR Article 25)
How can your business comply?
Data protection by Design requires you to consider data protection and privacy in everything you do.
In this way, it enables you to comply with the fundamental principles and requirements of the GDPR, emphasize accountability, and transparently show that you are processing data responsibly.
To comply with this principle, you should review the privacy considerations that may arise when developing new IT systems, services, products and processes, policies, and processes. DPIAs (Data protection impact assessments) are an essential part of data protection by Design and by default process, ensuring that all personal data collection, processing, storage, and destruction measures are designed to secure privacy.
When you understand the threats to data subjects' rights, it is much easier to put safeguards in place, allowing you to take necessary safeguards and incorporate them into your designs from the beginning.
Key principles of Privacy by Design
Ontario's Information and Privacy Commissioner (IPC) published a comprehensive primer on privacy by Design in the 1990s, which has since been updated and remains an authoritative source on ensuring privacy in business applications by default.
It establishes seven data protection concepts through Design.
Proactive not reactive; preventative not remedial.
Privacy as the default setting.
Privacy embedded into Design.
Full functionality – positive-sum, not zero-sum.
End-to-end security – full lifecycle protection.
Visibility and transparency – keep it open.
Respect for user privacy – keep it user-centric.
10 Steps to embed Privacy by Design – Healthy practices
1- Do you have a lawful basis for processing "personal data"? Review your purpose(s) before the information is collected or used for a new purpose. Inform data subjects about their rights and options.
2- Handle personal data open and transparent manner. Provide clear and easy-to-find information on the policies and procedures for handling personal data, and let people know about significant changes.
3-Minimize the amount of personal data processed and the number of third parties involved, anonymize or pseudonymize the data where possible, and delete personal data when no longer required.
5-Determine the conditions for using or disclosing personal data and limit the use and disclosure of personal data for direct marketing purposes.
6-Make sure that the personal data collected, used, or disclosed is correct, up-to-date, and complete.
7-Protect personal data and take technical and organizational measures. (Ensure Security)
8-Establish the terms and circumstances for accessing personal information and carefully define the authorizations.
9- Define complaint procedures, and provide information on privacy breaches, including sanctions and compensation.
10-Establish controls at the operational, functional, and strategic levels to ensure personal data's integrity, confidentiality, and availability throughout its lifecycle.
Privacy compliance: Have appropriate internal controls, independent audit mechanisms, periodic audits, and privacy risk assessments.
What is Data Flow?
Data Flow is the journey of data from the point of collection to where it flows to third parties throughout your organization.
Understanding the data flow allows us to map the data journey and enable businesses to manage and secure their customers' data fairly and securely. Implementing any type of security is difficult without thoroughly understanding the data lifecycle.
Data flow is the tracking of where data flows from source to destination, and it is possible to visualize data flow by asking the following questions about data management processes:
- What data exists?
- Where is it kept?
- Under what conditions is it kept?
- Where is it transferred? (if any)
When you can answer these questions thoroughly, we can safely assume that you have a comprehensive understanding of the data flow within your organization.
Understanding the Data Flow is a crucial step before performing Data Mapping and determining the regulations to which we will be subject, particularly when transferring data to third parties (third country or an international organization).
Components of Data Flows
The data flow has four fundamental components: data items, formats, transfer methods, and locations.
You will be able to build your data map based on those components.
1- Data items are information itself.
It addresses the question: What information do you have about a data subject? For instance, if the transaction uses only one person's address, that address will be the transaction's data item.
2- Formats is the state in which data items are stored.
You can fully comprehend the data flow by identifying all the actual data storage formats you utilize.
3- Transfer methods explain how physical or electronic data items are moved from one location to another.
E-mail, fax, or cloud storage? At this point, data flow takes on a physical form.
4-Locations are locations where data is stored and processed.
Data servers, cloud servers, portable hard drives, and any other physical location?It is critical to answer this question to find data quickly when needed.
In conclusion, when we talk about data flow, we usually mean the movement of data from the point of data collection to third parties throughout the organization. The first step in safeguarding this data is comprehending the term "Data Flow" and visualizing its movement. You can start by visualizing the data flow and tracing its path from the source to the final transfer point.
*Reference: IT GOVERNANCE PRIVACY TEAM. (2020). EU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition. IT Governance Publishing. https://doi.org/10.2307/j.ctv17f12pc (Data Mapping-Page 191,192)
What is Record of Processing Activities (RoPA)?
A RoPA is a comprehensive overview of an organization's personal data processing activities and the most important related details.
Also known as a data inventory, a RoPA supports business record-keeping efforts to promote accountability for complying with the GDPR and other privacy laws and regulations. When preparing the RoPA, you will be answering two critical questions: What personal data does your organization hold and where?
Why do companies need to keep RoPA?
To Assure the GDPR Compliance
To be compliant with the GDPR, the controller or processor should maintain records of processing activities under its responsibility. (GDPR Article 30) Article 30 requires businesses to keep "records of processing activities," which will allow regulators to see if organizations are in compliance with GDPR. Each controller and processor is required to cooperate with the supervisory authority and make those records available to it upon request so that it can monitor those processing operations.
Do I need a RoPA?
You must maintain RoPA if:
- Your company has 250 or more employees.
- Processing personal data is likely to risk the rights and freedoms of data subjects, (Example: video surveillance, a processing activity that can create discrimination, identity theft or fraud, financial loss, significant economic or social disadvantage.)
- Processing is not occasional (one-time marketing campaign);
- Processing includes special categories of data (health, racial or ethnic origin, etc.) or
- Processing of data relating to criminal convictions and offences.
Important Insight: Many businesses believe they do not require RoPA because they have fewer than 250 employees. However, this is not the only criterion.
If you process personal data on a non-occasional basis, which is usually the case, you should have a RoPA in place for those activities. For example, suppose you regularly manage salaries, clients, suppliers, or other personal information to provide your service. In that case, you will require a RoPA because these are non-occasional processing activities.
If you are a controller–if you decide on the purposes and means of processing–you must include those details in RoPA:
- Name and Contact details of your organization, data processor, data controller’s representative, joint controller, and data protection officer (DPO), if applicable;
- Purpose of the processing.
- Description of categories of data subjects and categories of personal data.
- Categories of recipients.
- Third parties which receive the personal data if applicable and suitable safeguards utilized;
- Retention schedule for each category of personal data if possible.
- Description of technical and organizational security measures (TOMs).
If you are a processor–if you act on behalf of the controller and process personal data:
- Name and contact details of your organization, controller on whose behalf you are acting, data protection officer or representative if applicable.
- Categories of processing you conduct or carry out on behalf of each controller.
- Name of third country or organization that you transfer personal data to if applicable and suitable safeguards utilized.
- Description of technical and organizational security measure (TOMs).
A Healthy Practice of a RoPA
1. Audit of all available personal data
A good idea when starting with a RoPA is to do an information audit of information to clarify what personal data the company holds, where, and how it processes it.
2. Documentation of activities
You should keep records in written and electronic form. It is also essential to do it in a structured and meaningful way. Moreover, if the records must be kept, they should be stored in a centralized way.
3. A RoPA must represent the current situation
Of your data processing activities, so it needs to be updated regularly when you start doing a new processing or change existing processing activities.
As we previously stated, you require RoPA to understand what personal data you process and where you keep it.
It is the fundamental document that will demonstrate to supervisory authorities that you are processing personal data responsibly and, if done correctly, will keep you out of further investigations. Your company must have a formal, documented, comprehensive, and accurate ROPA that is based on a data mapping exercise that is reviewed on a regular basis.
A well-prepared RoPA not only satisfies GDPR requirements and is critical for your data governance activities, but it is also an important document for fostering trust and confidence among stakeholders. It will prepare you for unexpected privacy issues and protect you from reputational damage, enforcement actions, and hefty fines.
Try to create your RoPA
You can find some sample templates shared by some data protection supervisory authorities at the link below. If you have a small business, you can easily incorporate them and build your RoPA.
RoPA Templates shared by the French data protection authority (CNIL) and the UK data protection authority (ICO):