Secure Computing and Hands-on Privacy By Design - Nikolai Norman Andersen - NDC Oslo 2024

Explore practical privacy-by-design implementation with encryption, secure computing, and data minimization. Learn GDPR compliance and tools for protecting personal data.

Key takeaways
  • Privacy by design requires considering data protection from the start of system design, not as an afterthought

  • Personal data has a broad definition under GDPR - includes direct and indirect identifiers like IP addresses, device IDs, and any data that can identify individuals

  • Anonymization is permanent and irreversible removal of identifying information, while pseudonymization allows data to be restored with additional information

  • International data transfers, especially to the US, require adequate protection measures like standard contractual clauses or adequacy decisions

  • Encryption alone does not make data non-personal - encrypted personal data is still considered personal data under GDPR

  • Client-side encryption and secure enclaves can help protect data by processing it in secure environments before it reaches servers

  • Managed identities in cloud platforms provide secure ways to handle authentication without exposing secrets

  • Data minimization is key - collect and expose only the minimum necessary personal data for the specific purpose

  • Statistical data needs careful aggregation and suppression techniques to prevent re-identification of individuals

  • Tools like SOPS can help manage encrypted secrets in source control while maintaining security

  • Organizations are responsible for ensuring their data processors and third parties handle data with adequate protection

  • Privacy considerations must cover both customer and employee personal data with equal protection levels