5 Tips for Successfully Implementing Privacy by Design
In a world where there’s no cookie cutter template to privacy, companies are hungry for tried-and-true approaches to privacy compliance and risk management. The Privacy by Design framework can help to fill that void. Read on to learn more about Privacy by Design and uncover our tips to implementing privacy by design.
What Is Privacy by Design?
Privacy by Design (PbD) is a privacy approach by former information and Privacy Commissioner of Ontario Ann Cavoukian, and related to the ‘security by design’ approach favoured by many security practitioners. ‘Privacy by design’ is based on 7 foundational principles (which we’ll dig into below) and serves to guide the implementation and mapping of common privacy principles and fair information practices, into all initiatives involving the use of personal data.
The reason the PbD framework is so well equipped to weather the barrage of changing consumer protections is that it was designed to “[significantly raise] the bar in the area of privacy protection”, setting the highest global standard, while being flexible and adaptable.
The 7 Principles of Privacy by Design
The 7 Principles underpinning the privacy by design approach are:
- Be proactive, not reactive.
- Privacy as the default setting.
- Privacy embedded into design.
- Full-functionality: positive-sum, not zero-sum.
- End-to-end security.
- Visibility and transparency – keep it open.
- Keep it user centric.
Find more information about these foundational principles of the privacy by design approach.
Tips for Embedding and Implementing Privacy by Design into Your Projects
1. Understand Your Privacy Obligations and Capabilities.
Any successful privacy program starts with a strong understanding of existing obligations and capabilities. If your organisation wishes to successfully implement privacy by design, it needs to first understand its current approach to privacy. This involves documenting existing technologies and mechanisms that have been implemented to address privacy – even where these are ad hoc solutions.
With these in mind, you’re better placed to consider how to address your existing privacy obligations and where to focus your efforts when it comes to improving your capabilities.
2. Align Senior Management with Privacy by Design.
Privacy is no longer a ‘check the box’ compliance task for organisations. Factors like rising demands from individual customers, coupled with the risk stemming from global cyber security threats have catapulted privacy concerns to the forefront for boards, business leaders, and senior management.
However, it’s still not common for senior management to consider proactive privacy measures. By calling privacy by design to the attention of senior management – and getting their buy-in – organisations are in a better position to implement privacy into project planning.
Managerial buy in also promotes collaboration and understanding between key players in organisational privacy programs. Legal and IT departments are better linked with design, sales, marketing, and customer service and better placed to embed privacy into the organisation.
3. Define a Roadmap for Privacy by Design.
Organisations with mature privacy programs have defined plans to embed privacy by design into the organisational projects and culture.
These roadmaps consider:
- Planning and timing for implementing privacy-enhancing technologies.
- How and when to adapt internal processes to improve privacy management.
- Key accountabilities.
- Short and mid-term education and training planning.
By developing a strategy that furthers your organisation’s commitment to privacy by design, you are better placed to find technologies that improve privacy capabilities across multiple projects. Moreover, these roadmaps highlight your organisation’s commitment to privacy by design. In turn, this deepens the culture of privacy and promotes collaboration and feedback from stakeholders. All of this can lead to better privacy programs.
4. Consider Consent from the Outset.
The privacy by design framework asks organisations to build the foundations of their privacy programs in a way that, where an individual does nothing, their privacy will remain intact. A critical element of this is ensuring that a valid consent is collected at the time personal information is collected.
To design projects that meet their needs, and the privacy demands of their customers, companies must consider:
- at which point customers must provide consent for their personal information to be collected – and
- how to deliver projects in circumstances where that consent isn’t given.
Doing so can help organisations develop innovative and more privacy-friendly delivery methods and really focus on collecting data for specific purposes.
5. Prioritise Control Over Data.
We highlighted in our article on employee photos that individual employees are allowed to withdraw their consent for an organisation to remove photos of the employee from publication.
Where companies have not adopted a privacy by design approach, this can be complex. They may not recall exactly where photographs of a particular individual have been published online, for instance.
With privacy by design, the organisation may have tagged the employee’s name in the meta data associated with that image. This makes it significantly easier to find and remove the images.
What this shows is that implementing measures that allow customers to control how their data is used required forethought and careful planning.
If your organisation needs help with this, reach out.