# O3.17 Ensure compliance with privacy laws and evaluate risks around PII {% tabs %} {% tab title="Principle" %} [O3: Ensure data privacy by design](https://safedpi.gitbook.io/safeguards/universal-dpi-safeguards-framework/principles/operational-principles/o3-ensure-data-privacy-by-design) {% endtab %} {% tab title="Risk" %} {% endtab %} {% tab title="Life Cycle Stage " %} [L2: Strategy & Design](https://safedpi.gitbook.io/safeguards/universal-dpi-safeguards-framework/life-cycle-stages) {% endtab %} {% endtabs %} ## Practices > Configure systems to automatically enforce the highest privacy settings as default, minimizing the amount of personal data collected and ensuring that only necessary data is processed. > > Practice data minimization, which is the retention of only the minimum amount of Personally Identifiable Information (PII) necessary for the intended purpose, and regularly review and purge unnecessary data. > > Data Encryption: Use strong encryption methods to protect data both in transit and at rest, ensuring that unauthorized parties cannot access or interpret sensitive information. > > Access Controls: Implement strict access controls and authentication measures to limit who can view or modify personal data, ensuring that only authorized individuals have access. > > Privacy Training and Awareness: Provide ongoing privacy training for employees to ensure they understand privacy principles and how to handle personal data responsibly. > > Regular Audits and Reviews: Conduct regular audits and reviews of data handling practices and privacy measures to ensure they remain effective and compliant with evolving regulations. > > Incident Response Planning: Develop and maintain a clear incident response plan to quickly address and mitigate the impact of any data breaches or privacy incidents. ## Resources
ReferencesDepartment of Homeland Security. Privacy Impact Assessments. https://www.dhs.gov/privacy-impact-assessments