Secure Computing and Hands-on Privacy By Design - Nikolai Norman Andersen - NDC Oslo 2024

Privacy by design requires considering data protection from the start of system design, not as an afterthought

Personal data has a broad definition under GDPR - includes direct and indirect identifiers like IP addresses, device IDs, and any data that can identify individuals

Anonymization is permanent and irreversible removal of identifying information, while pseudonymization allows data to be restored with additional information

International data transfers, especially to the US, require adequate protection measures like standard contractual clauses or adequacy decisions

Encryption alone does not make data non-personal - encrypted personal data is still considered personal data under GDPR

Client-side encryption and secure enclaves can help protect data by processing it in secure environments before it reaches servers

Managed identities in cloud platforms provide secure ways to handle authentication without exposing secrets

Data minimization is key - collect and expose only the minimum necessary personal data for the specific purpose

Statistical data needs careful aggregation and suppression techniques to prevent re-identification of individuals

Tools like SOPS can help manage encrypted secrets in source control while maintaining security

Organizations are responsible for ensuring their data processors and third parties handle data with adequate protection

Privacy considerations must cover both customer and employee personal data with equal protection levels