Privacy by Design: How to Bake Privacy in Early
Using privacy by design to bake privacy in early is becoming a must. The benefits of using privacy by design to ensure privacy in the early stages of development of products and services range from better alignment with organisational priorities to happier customers. Plus it supports compliance in an increasingly complex world of data protection regulation.
However, many organisations don’t know where to start. We are here to help. In this post we outline three steps that are key to implementing privacy by design at your organisation:
3 Steps to Implementing Privacy by Design Early
Step 1: Change the Narrative About Privacy – create a vision
Privacy has evolved from a compliance checklist item to an opportunity for organisations to:
- Add value,
- Create win-wins for the entity and its customers, and
- Shape privacy into a competitive advantage.
If your organisation’s approach to privacy doesn’t reflect this reality, it’s time to change the narrative about privacy.
How do you do this? One way is to create a vision for privacy within the organisation. This vision must be linked to your strategic direction and show how supporting privacy brings value to your business. This might be by supporting the fair and ethical leveraging of the data you hold or building and maintaining stakeholder trust. Whatever the value statement, it’s an important starting point for any privacy by design program.
Step 2: Create an Action Plan for Your Systems, Processes, & Legal Compliance
From the outset, you need to consider how your systems and processes operate independently and together and create an action plan for privacy that adequately reflects the risks that arise, while supporting your organisational vision for privacy.
Systems Privacy by Design
The Privacy by Design framework states that privacy should be the default – and that a person who does nothing to protect their privacy should still be protected. It’s crucial to bear this in mind when you develop your systems.
To achieve this, consider:
- The mechanisms you will use to collect data;
- The technical measures you will use to protect the data your organisation collects, including pseudonymisation and encryption;
- How you will manage access control, specifically how you will implement the least privilege access principle;
- Which data loss prevention measures you will use;
- How you will monitor and detect systems risks; and
- What your incident response plan looks like from a technical standpoint.
Privacy by Design Using Processes
Human error remains one of the leading contributors to privacy breaches. It’s important to consider how humans will interact with your systems.Where might things go wrong? What decisions about data use might be presented in the future? And remember to think about all the human points of contact – employees, customers, website visitors, partners and third parties in the supply chain. Privacy by design needs to cover all interactions with personal data,
From there, you need to develop processes that strengthen (not weaken) your systems and technical security measures.
Regarding your processes, it’s essential to:
- Implement customer-facing privacy controls, such as opt-ins and privacy centres;
- Document your personal information processing practices;
- Undertake a privacy impact assessment, risk assessment, and compliance assessment before any new data processing occurs;
- Share up-to-date copies of privacy-related company policies and procedures with all relevant team members regularly and provide appropriate training and awarness; and
- Consider what processes would need to be followed in case of a privacy breach.
Your legal compliance obligations will vary depending on which jurisdictions you operate within. Broadly speaking, compliance often centres around the following common themes:
- Knowing the relevant laws;
- Knowing which personal information you collect – and your purpose for collecting it;
- Implementing adequate security practices;
- Understanding, assessing, and monitoring your risks;
- Creating processes and policies to manage personal information throughout its lifecycle; and
- Developing processes for updating, amending, and deleting personal information upon request.
Compliance should not be the main driver for Privacy by Design but it is an important input.
Step 3: Train Your Team
It’s not enough for your organisation’s privacy professionals to know and understand privacy. Your whoke team must be trained to know and recognise privacy risks, too.
Privacy by design requires that privacy is baked into everything from marketing to customer service. As a result, all team members should receive privacy training. This training should be directed to the different team members who might be involved in the privacy by design process, and what is important for them to know. For example, it might include:
- Transparency requirements for the UX team;
- Privacy engineering principles for the technology team;
- Privacy impact assessment fundamentals for the Project Management Office;
- Data focused privacy enhancing techniques for the Data Management team.
Privacy training is a good practice in any event. Privacy risks are developing rapidly, and ongoing training is critical to reducing your organisational risk.
Here are some other resources that might help:
- The Office of the Australian Information Commissioner has some guidance – available here
- EDPB Guidelines on Data Protection by Design and by Default – available here
- Jaap-Henk Hoepman’s Privacy by Design Strategies – available here
- The EDPS has a page on Privacy by Design – available here.
For other tips on embedding privacy by design into your organisational practices, check out some of our other posts:
If you need assistance with privacy at your organisation, reach out. Our team of privacy lawyers, training instructors, and consultants would love to help.
Alternatively, to learn more about how to build privacy in your business and your technology solutions, enrol in our CIPT Course.