How Does Privacy by Design Work in Practice?

with co-author Eliza Krigman

Does your company consider privacy at the very start of product development? By the spring of 2018, any business that handles the personal data of European residents will be required to by law. New European privacy rules, formally known as the General Data Protection Regulation (GDPR), call on companies to explicitly incorporate measures to keep this data safe — by default.

It doesn’t matter where the organization operates or has its headquarters. If it processes the personal data of European residents, then the GDPR applies.

Exactly what it means and looks like to implement this component of the law – “privacy by design,” as it’s referred to in the industry — has been left open to interpretation. Privacy professionals charged with implementing the GDPR must decide for themselves exactly what kind of technical and organizational processes they want to put in place to fulfill this obligation.

The text of the law describing these requirements states that a business handling the personal data of European residents “shall implement appropriate technical and organizational measures” so that “by default” that information receives all the protections of the new regulation.

“I think of privacy by design as a set of principles,” Jacobo Esquenazi, Global Privacy Strategist for Hewlett-Packard, said at a data protection conference held in Brussels in November.

Some of the principles discussed by Esquenazi and other privacy experts at the conference (and in the text of the law itself) include:

• Data minimization – Collect only what you need
• Purpose limitation – Only use personal data in the way you have permission to, and only if necessary
• Retention limitation – Don’t store it longer than necessary
• Early consideration – Incorporate privacy at the thinking stage of a development life cycle, before doing anything

One way to address the implementation challenge is to find ways to weave these doctrines into processes that can be documented. It doesn’t mean reinventing the wheel on compliance. Privacy by design, in many instances, can be baked into workflows that have already been established.

In light of GDPR, there are two “operational things that we see companies doing. One is data mapping… and the second is a privacy impact assessment,” Kabir Barday, CEO of OneTrust, a new privacy software company, said on a panel at the Brussels conference. Those projects existed before the new rules, but “if they are done in the right sequence,” then it’s possible to get the benefit of having done privacy by default as well, Barday added.

Most privacy professionals or others charged with keeping personal data safe will already conduct or be familiar with a privacy impact assessment (PIA). Simply put, a PIA is a formal process designed to assess the privacy risks inherent in a particular business project or initiative. As a part of a PIA, assurance professionals identify and implement appropriate controls and mitigation steps. Under the GDPR, a PIA is actually required in certain instances. And if it’s not a project they are already working on, data mapping – essentially, the process by which information flows inside and outside of a company is captured and depicted – will be a familiar concept to assurance executives. Barday’s point: either or both of these activities can be used to help fulfill the privacy by design provision.

When asked how he plans to demonstrate compliance of privacy by design, Esquenazi said he will use reports produced from his PIAs.

CEB recommends a five-step approach to conducting a PIA:

• Identify which projects may create a privacy risk and direct them to a PIA process.
• Determine whether the project calls for a full PIA (or something smaller) based on a risk assessment.
• Assess the impact of the specific privacy risks associated with this project.
• Explain to the project owner the dangers associated with this initiative that have been surfaced by the PIA and recommend mitigation tactics.
• Monitor the project’s compliance status against a standardized control framework. This data will feed into a risk register that helps reveal risk patterns across workflows.

Evidence of the steps involved in the PIA can help to show organizational commitment to privacy by design.

That’s just one tack, though.

“You want to be able to document that the product teams, the designers and the app developers have gone through the different gateways around specific privacy risks and questions,” Robert Grosvenor, a Director at Promontory, a regulatory consulting firm, said at the same session as Barday.

At the end of the day, what you want to establish is a privacy-aware product life cycle, Grosvenor explained, one that has privacy baked into all relevant stages of development. Additional implementation tactics for doing that include:

• Placing privacy experts within business functions
• Creating guidance in accessible language
• Reusing or inserting privacy into work by other departments whenever possible. The security team may already have a robust security-by-design process, for instance.
• Making privacy by design an official part of company policy
• Holding mandatory training sessions on it

Good privacy by design will help the business avoid sanctions, safeguard its reputation and save money by avoiding changes that have to be made at later stages of development when this issue has been overlooked.  Creating and storing evidence of processes that your organization may already conduct, such as a PIA or data mapping, can go a long way toward demonstrating the privacy-by-design requirement of the GDPR.