with co-author Eliza Krigman
Does your company consider privacy at the very start of product development? By the spring of 2018, any business that handles the personal data of European residents will be required to by law. New European privacy rules, formally known as the General Data Protection Regulation (GDPR), call on companies to explicitly incorporate measures to keep this data safe — by default.
It doesn’t matter where the organization operates or has its headquarters. If it processes the personal data of European residents, then the GDPR applies.
Exactly what it means and looks like to implement this component of the law – “privacy by design,” as it’s referred to in the industry — has been left open to interpretation. Privacy professionals charged with implementing the GDPR must decide for themselves exactly what kind of technical and organizational processes they want to put in place to fulfill this obligation.
The text of the law describing these requirements states that a business handling the personal data of European residents “shall implement appropriate technical and organizational measures” so that “by default” that information receives all the protections of the new regulation.
“I think of privacy by design as a set of principles,” Jacobo Esquenazi, Global Privacy Strategist for Hewlett-Packard, said at a data protection conference held in Brussels in November.
Some of the principles discussed by Esquenazi and other privacy experts at the conference (and in the text of the law itself) include:
One way to address the implementation challenge is to find ways to weave these doctrines into processes that can be documented. It doesn’t mean reinventing the wheel on compliance. Privacy by design, in many instances, can be baked into workflows that have already been established.
In light of GDPR, there are two “operational things that we see companies doing. One is data mapping… and the second is a privacy impact assessment,” Kabir Barday, CEO of OneTrust, a new privacy software company, said on a panel at the Brussels conference. Those projects existed before the new rules, but “if they are done in the right sequence,” then it’s possible to get the benefit of having done privacy by default as well, Barday added.
Most privacy professionals or others charged with keeping personal data safe will already conduct or be familiar with a privacy impact assessment (PIA). Simply put, a PIA is a formal process designed to assess the privacy risks inherent in a particular business project or initiative. As a part of a PIA, assurance professionals identify and implement appropriate controls and mitigation steps. Under the GDPR, a PIA is actually required in certain instances. And if it’s not a project they are already working on, data mapping – essentially, the process by which information flows inside and outside of a company is captured and depicted – will be a familiar concept to assurance executives. Barday’s point: either or both of these activities can be used to help fulfill the privacy by design provision.
When asked how he plans to demonstrate compliance of privacy by design, Esquenazi said he will use reports produced from his PIAs.
CEB recommends a five-step approach to conducting a PIA:
Evidence of the steps involved in the PIA can help to show organizational commitment to privacy by design.
That’s just one tack, though.
“You want to be able to document that the product teams, the designers and the app developers have gone through the different gateways around specific privacy risks and questions,” Robert Grosvenor, a Director at Promontory, a regulatory consulting firm, said at the same session as Barday.
At the end of the day, what you want to establish is a privacy-aware product life cycle, Grosvenor explained, one that has privacy baked into all relevant stages of development. Additional implementation tactics for doing that include:
Good privacy by design will help the business avoid sanctions, safeguard its reputation and save money by avoiding changes that have to be made at later stages of development when this issue has been overlooked. Creating and storing evidence of processes that your organization may already conduct, such as a PIA or data mapping, can go a long way toward demonstrating the privacy-by-design requirement of the GDPR.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Brian Lee is a Practice Leader in CEB’s Compliance & Legal Practice, which provides best practices research, benchmarking and management consulting advice to more than 1,500 legal, compliance and privacy heads worldwide. He is responsible for the practice’s overall research agenda, strategic vision and day-to-day operations. While at CEB, Brian has led a number of qualitative and quantitative research initiatives on a wide range of legal, compliance and privacy department issues, including risk assessment and management; department strategy and effectiveness; training and communications; and building an ethical corporate culture.