Adopting privacy by design (PbD) is essential for almost every organisation. Any change project or product that involves data processing should be guided by PbD.
Privacy by design is an approach to building privacy and data protection up front, into the very DNA of technologies, business practices, products and services and physical infrastructure. It is particularly important in the development of mobile applications, medical devices and other technologies that might involve the collection or processing of personal information. PbD also ensures that privacy is considered whenever there is any significant change to a business, such as mergers, acquisitions, doing business in a new jurisdiction, rolling out a new product or internationalising an existing one.
PbD is an important risk mitigation step and should be part of any Privacy Management Program. For more information about Privacy Management Programs, including how we can help you develop yours – see Privacy Management Program.
Generally, PbD ensures that strong privacy practices are identified and implemented early and consistently. This helps ensure that all products, solutions and other processing activities within your organisation support commitment to the responsible and ethical use and protection of personal data.
Our PbD consulting services use tools like policies, privacy impact assessments and training to help get you there. Our deep understanding of product development lifecycles means we can assist you to build PbD into your existing processes.
Our expertise includes:
Implementation of PbD means that privacy is thought about early in any design initiative or other project, which provides opportunities to bake in privacy protections, rather than adding them as an afterthought. It also means that the types of information and how they intend to be processed are considered at the design stage.
We’ll tailor our response to meet your specific PbD needs and provide up-front costings.
You will be allocated a dedicated senior privacy consultant who will coordinate the delivery of the PbD service for you based on the detailed quote and scoping we will have included in our proposal.
Your dedicated privacy consultant can also call on the assistance of other members of our team including data governance, and information security experts.
The outcome of your PbD project depends on the nature of your project and the terms of our engagement. However, it may include:
Privacy108 can provide a fixed price quote for your privacy by design initiative. Our rates are competitive and will be supported by a detailed quote that specifies the work we will undertake and the deliverables you will receive as part of the project.
Privacy by design is based on seven “foundational principles”:
According to Jason Cronk in “Strategic Privacy by Design” – though usage of the term “privacy by design” originated some time in the early 1990s, Dr. Ann Cavoukian created the modern conceptualization in 2009, early in her role as information and privacy commissioner of the province of Ontario, Canada. Based on 7 foundational principles outlined above, PbD has been criticised as being too vague and general. However, the generality was intentional on Dr. Cavoukian’s part. She desired to give designers flexibility while still promoting the integration of privacy into system design. The lack of specificity, though, has somewhat hampered adoption by engineers and others who desired more guidance in how to meet the principles.
PbD was included in the GDPR which requires controllers to implement data protection by design and data protection by default. The same requirements are included in the UK data protection legislation. PbD has also been recognised as key practice for protecting privacy by the US Federal Trade Commission.
There is no legal obligation to implement PbD in Australia, however it is an important privacy risk mitigation step.
In Australia, the OAIC supports the adoption of PbD but it is not required in the Privacy Act 1988 (Cth). In the OAIC’s recommendations for a privacy management framework, organisations are encouraged to “adopt a ‘privacy by design’ approach. Ensure you consider the seven foundational principles of privacy by design in all your business projects and decisions that involve personal information.’
At a State level, the Commissioner for Privacy and Data Protection for the State of Victoria (CPDP) has formally adopted privacy by design as a core policy to underpin information privacy management in the Victorian public sector.
PbD and privacy engineering are often used interchangeably. More frequently used now, the term “privacy engineering” has come to encompass both the high-level concept of system design (or engineering) and the more specific tasks of incorporating privacy into various areas of technology.
Privacy108 are specialists in privacy and information security – it’s all we do!
We are familiar with the privacy and security issues commonly faced by organisations and have developed practical and cost-effective solutions for those issues.
Our team has invested in developing templates, questionnaires and guidance documents, using best practices and published standards, that help ensure that all our reports and other deliverables are targeted, practical and easy to understand. We also keep up to date with all the latest changes to privacy law and practice so we can provide current and timely advice.
The team understands sophisticated technology, IT systems and concepts, complex relationships with service providers and the importance of developing the right organisational culture. We provide practical guidance and advice so organisations achieve their goals while meeting their compliance obligations.
Privacy108 is owned and led by one of Australia’s leading security and privacy professionals, Dr Jodie Siganto. The Privacy108 team includes lawyers, consultants and trainers who between them hold many years of experience in delivering privacy and security solutions for Australian organisations.
We have worked as in-house counsel and senior executives, and understand the pressures faced by executives, CISOs, Chief Privacy Officers, procurement teams and in-house lawyers. Our team’s industry experience is complemented by extensive legal knowledge and a desire to assist our clients with high quality practical advice.