In a world where there’s no cookie cutter template to privacy, companies are hungry for tried-and-true approaches to privacy compliance and risk management. The Privacy by Design framework can help to fill that void. Read on to learn more about Privacy by Design and uncover our tips to implementing privacy by design.
Privacy by Design (PbD) is a privacy approach by former information and Privacy Commissioner of Ontario Ann Cavoukian, and related to the ‘security by design’ approach favoured by many security practitioners. ‘Privacy by design’ is based on 7 foundational principles (which we’ll dig into below) and serves to guide the implementation and mapping of common privacy principles and fair information practices, into all initiatives involving the use of personal data.
The reason the PbD framework is so well equipped to weather the barrage of changing consumer protections is that it was designed to “[significantly raise] the bar in the area of privacy protection”, setting the highest global standard, while being flexible and adaptable.
The 7 Principles underpinning the privacy by design approach are:
Find more information about these foundational principles of the privacy by design approach.
Any successful privacy program starts with a strong understanding of existing obligations and capabilities. If your organisation wishes to successfully implement privacy by design, it needs to first understand its current approach to privacy. This involves documenting existing technologies and mechanisms that have been implemented to address privacy – even where these are ad hoc solutions.
With these in mind, you’re better placed to consider how to address your existing privacy obligations and where to focus your efforts when it comes to improving your capabilities.
Privacy is no longer a ‘check the box’ compliance task for organisations. Factors like rising demands from individual customers, coupled with the risk stemming from global cyber security threats have catapulted privacy concerns to the forefront for boards, business leaders, and senior management.
However, it’s still not common for senior management to consider proactive privacy measures. By calling privacy by design to the attention of senior management – and getting their buy-in – organisations are in a better position to implement privacy into project planning.
Managerial buy in also promotes collaboration and understanding between key players in organisational privacy programs. Legal and IT departments are better linked with design, sales, marketing, and customer service and better placed to embed privacy into the organisation.
Organisations with mature privacy programs have defined plans to embed privacy by design into the organisational projects and culture.
These roadmaps consider:
By developing a strategy that furthers your organisation’s commitment to privacy by design, you are better placed to find technologies that improve privacy capabilities across multiple projects. Moreover, these roadmaps highlight your organisation’s commitment to privacy by design. In turn, this deepens the culture of privacy and promotes collaboration and feedback from stakeholders. All of this can lead to better privacy programs.
The privacy by design framework asks organisations to build the foundations of their privacy programs in a way that, where an individual does nothing, their privacy will remain intact. A critical element of this is ensuring that a valid consent is collected at the time personal information is collected.
To design projects that meet their needs, and the privacy demands of their customers, companies must consider:
Doing so can help organisations develop innovative and more privacy-friendly delivery methods and really focus on collecting data for specific purposes.
We highlighted in our article on employee photos that individual employees are allowed to withdraw their consent for an organisation to remove photos of the employee from publication.
Where companies have not adopted a privacy by design approach, this can be complex. They may not recall exactly where photographs of a particular individual have been published online, for instance.
With privacy by design, the organisation may have tagged the employee’s name in the meta data associated with that image. This makes it significantly easier to find and remove the images.
What this shows is that implementing measures that allow customers to control how their data is used required forethought and careful planning.
If your organisation needs help with this, reach out.
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
