OWASP DevSecOps Guideline - v-0.2
Privacy
Privacy has become an important aspect of application security. GDPR, LGPD, CCPA and other laws and regulations have impose several controls over processing PII (Personally Identifiable Information). To comply with those regulations, DevSecOps have to be sure to use PII accordingly and protect data agains leaking.
To start, it is important to have a good understanding of what is considered PII:
- First and last name;
- Identifiable email ([email protected]);
- Identity card numbers;
- Location data (mobile);
- IP Address.
- This is not a complete list.
Some PII are considered sensitive, and require even more protection, such as:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data; and
- Biometric data (where processed to uniquely identify someone).
Most privacy regulations promote Privacy by Design, the aproach where the development process addresses privacy concerns thru the whole cycle. Even before coding starts.
You have to create a PII data flow to make sure you apply the required protection to the data thru its lifecycle. You also have to follow all the requirements related to the quality and volume of processed data.
All PII data processing requirements have to be specified. you have to create an inventory of all PII and evaluate the processing activity to make sure it follows all requirementes, such as:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
After you make sure that the PII and the PII processing activity are mapped and comply to the privacy regulation you have to follow, it is important to apply the security measures to protect the data, accordingly with its criticity.