Data Protection Skill

Purpose

Defines data protection practices ensuring privacy-by-design, GDPR compliance, and secure data handling across all Hack23 projects.

Data Classification Levels

Level Description Handling

PUBLIC Open data, published information No restrictions

INTERNAL Operational data, system metadata Access controlled

CONFIDENTIAL Personal data, business sensitive Encrypted, logged

RESTRICTED Credentials, keys, PII aggregation Encrypted, MFA required

Privacy-by-Design Principles

• Proactive — Prevent privacy issues before they occur

• Default — Maximum privacy as default setting

• Embedded — Privacy built into design

• Positive-Sum — Privacy AND functionality

• End-to-End — Full lifecycle protection

• Transparency — Open and documented

• User-Centric — Respect user privacy

GDPR Requirements

• Lawful basis for processing

• Data minimization (collect only what's needed)

• Purpose limitation

• Storage limitation (retention policies)

• Data subject rights (access, deletion, portability)

• Privacy impact assessments for new features

Static Site Considerations

• No cookies without consent

• Privacy-preserving analytics only

• No tracking pixels or fingerprinting

• Secure external links (rel="noopener noreferrer")

• No PII in URLs or query parameters

ISO 27001 Mapping

• A.5.34 — Privacy and protection of PII

• A.8.11 — Data masking

• A.8.12 — Data leakage prevention

Related Policies

• Secure Development Policy