No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
    • Upcoming
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights

How Does Privacy by Design Work in Practice?

by Brian Lee
December 14, 2016
in Uncategorized
Putting new privacy requirements in place

with co-author Eliza Krigman

Does your company consider privacy at the very start of product development? By the spring of 2018, any business that handles the personal data of European residents will be required to by law. New European privacy rules, formally known as the General Data Protection Regulation (GDPR), call on companies to explicitly incorporate measures to keep this data safe — by default.

It doesn’t matter where the organization operates or has its headquarters. If it processes the personal data of European residents, then the GDPR applies.

Exactly what it means and looks like to implement this component of the law – “privacy by design,” as it’s referred to in the industry — has been left open to interpretation. Privacy professionals charged with implementing the GDPR must decide for themselves exactly what kind of technical and organizational processes they want to put in place to fulfill this obligation.

The text of the law describing these requirements states that a business handling the personal data of European residents “shall implement appropriate technical and organizational measures” so that “by default” that information receives all the protections of the new regulation.

“I think of privacy by design as a set of principles,” Jacobo Esquenazi, Global Privacy Strategist for Hewlett-Packard, said at a data protection conference held in Brussels in November.

Some of the principles discussed by Esquenazi and other privacy experts at the conference (and in the text of the law itself) include:

  • Data minimization – Collect only what you need
  • Purpose limitation – Only use personal data in the way you have permission to, and only if necessary
  • Retention limitation – Don’t store it longer than necessary
  • Early consideration – Incorporate privacy at the thinking stage of a development life cycle, before doing anything

One way to address the implementation challenge is to find ways to weave these doctrines into processes that can be documented. It doesn’t mean reinventing the wheel on compliance. Privacy by design, in many instances, can be baked into workflows that have already been established.

In light of GDPR, there are two “operational things that we see companies doing. One is data mapping… and the second is a privacy impact assessment,” Kabir Barday, CEO of OneTrust, a new privacy software company, said on a panel at the Brussels conference. Those projects existed before the new rules, but “if they are done in the right sequence,” then it’s possible to get the benefit of having done privacy by default as well, Barday added.

Most privacy professionals or others charged with keeping personal data safe will already conduct or be familiar with a privacy impact assessment (PIA). Simply put, a PIA is a formal process designed to assess the privacy risks inherent in a particular business project or initiative. As a part of a PIA, assurance professionals identify and implement appropriate controls and mitigation steps. Under the GDPR, a PIA is actually required in certain instances. And if it’s not a project they are already working on, data mapping – essentially, the process by which information flows inside and outside of a company is captured and depicted – will be a familiar concept to assurance executives. Barday’s point: either or both of these activities can be used to help fulfill the privacy by design provision.

When asked how he plans to demonstrate compliance of privacy by design, Esquenazi said he will use reports produced from his PIAs.

CEB recommends a five-step approach to conducting a PIA:

  • Identify which projects may create a privacy risk and direct them to a PIA process.
  • Determine whether the project calls for a full PIA (or something smaller) based on a risk assessment.
  • Assess the impact of the specific privacy risks associated with this project.
  • Explain to the project owner the dangers associated with this initiative that have been surfaced by the PIA and recommend mitigation tactics.
  • Monitor the project’s compliance status against a standardized control framework. This data will feed into a risk register that helps reveal risk patterns across workflows.

Evidence of the steps involved in the PIA can help to show organizational commitment to privacy by design.

That’s just one tack, though.

“You want to be able to document that the product teams, the designers and the app developers have gone through the different gateways around specific privacy risks and questions,” Robert Grosvenor, a Director at Promontory, a regulatory consulting firm, said at the same session as Barday.

At the end of the day, what you want to establish is a privacy-aware product life cycle, Grosvenor explained, one that has privacy baked into all relevant stages of development. Additional implementation tactics for doing that include:

  • Placing privacy experts within business functions
  • Creating guidance in accessible language
  • Reusing or inserting privacy into work by other departments whenever possible. The security team may already have a robust security-by-design process, for instance.
  • Making privacy by design an official part of company policy
  • Holding mandatory training sessions on it

Good privacy by design will help the business avoid sanctions, safeguard its reputation and save money by avoiding changes that have to be made at later stages of development when this issue has been overlooked.  Creating and storing evidence of processes that your organization may already conduct, such as a PIA or data mapping, can go a long way toward demonstrating the privacy-by-design requirement of the GDPR.


Tags: Communications Management
Previous Post

CCOs Cannot Ignore C-Suite Risks

Next Post

Corps Issues Regulatory Guidance Letter on Jurisdictional Determinations

Brian Lee

Brian Lee

Brian Lee is an experienced lawyer and Managing Vice President at Gartner, where he leads research focused on turning compliance and privacy departments into high-performing business units. Gartner is a research and advisory company headquartered in Stamford, Connecticut. Gartner helps business leaders across all major functions in every industry and enterprise size with the objective insights they need to make the right decisions.

Related Posts

cubist style art of robot holding a pencil

Want to Be Part of the Generative AI Revolution? Start With Treating It Like an Assistant.

by Dave Cumberland
October 31, 2023

Integrating AI into internal communications can streamline how teams talk to each other

stack of newspapers on laptop

The Social Construction of a Scandal

by Michael Toebe
December 9, 2019

Do corporate execs and legal counsel truly understand the role news media plays in establishing the narrative about fault and...

woman holding smartphone with many "like" and "heart" reactions

Engaging Social Media is More Effective Risk Management

by Michael Toebe
October 25, 2019

Social media communication is a rarely implemented risk management tool, but it should get more play. Michael Toebe makes the...

black and white illustration of shark jumping out of water

The Shark in the Wave: Revealing the Lurking Danger of Slack Data

by James Murphy
June 17, 2019

Hanzo’s Jim Murphy explores the danger of Slack data; voluminous, informal, unstructured and context-dependent, it’s a threat hiding in plain...

Next Post
a new regulatory guidance letter

Corps Issues Regulatory Guidance Letter on Jurisdictional Determinations

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
    • Upcoming
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights