Wednesday, January 27, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights

How Does Privacy by Design Work in Practice?

by Brian Lee
December 14, 2016
in Uncategorized
Putting new privacy requirements in place

with co-author Eliza Krigman

Does your company consider privacy at the very start of product development? By the spring of 2018, any business that handles the personal data of European residents will be required to by law. New European privacy rules, formally known as the General Data Protection Regulation (GDPR), call on companies to explicitly incorporate measures to keep this data safe — by default.

It doesn’t matter where the organization operates or has its headquarters. If it processes the personal data of European residents, then the GDPR applies.

Exactly what it means and looks like to implement this component of the law – “privacy by design,” as it’s referred to in the industry — has been left open to interpretation. Privacy professionals charged with implementing the GDPR must decide for themselves exactly what kind of technical and organizational processes they want to put in place to fulfill this obligation.

The text of the law describing these requirements states that a business handling the personal data of European residents “shall implement appropriate technical and organizational measures” so that “by default” that information receives all the protections of the new regulation.

“I think of privacy by design as a set of principles,” Jacobo Esquenazi, Global Privacy Strategist for Hewlett-Packard, said at a data protection conference held in Brussels in November.

Some of the principles discussed by Esquenazi and other privacy experts at the conference (and in the text of the law itself) include:

  • Data minimization – Collect only what you need
  • Purpose limitation – Only use personal data in the way you have permission to, and only if necessary
  • Retention limitation – Don’t store it longer than necessary
  • Early consideration – Incorporate privacy at the thinking stage of a development life cycle, before doing anything

One way to address the implementation challenge is to find ways to weave these doctrines into processes that can be documented. It doesn’t mean reinventing the wheel on compliance. Privacy by design, in many instances, can be baked into workflows that have already been established.

In light of GDPR, there are two “operational things that we see companies doing. One is data mapping… and the second is a privacy impact assessment,” Kabir Barday, CEO of OneTrust, a new privacy software company, said on a panel at the Brussels conference. Those projects existed before the new rules, but “if they are done in the right sequence,” then it’s possible to get the benefit of having done privacy by default as well, Barday added.

Most privacy professionals or others charged with keeping personal data safe will already conduct or be familiar with a privacy impact assessment (PIA). Simply put, a PIA is a formal process designed to assess the privacy risks inherent in a particular business project or initiative. As a part of a PIA, assurance professionals identify and implement appropriate controls and mitigation steps. Under the GDPR, a PIA is actually required in certain instances. And if it’s not a project they are already working on, data mapping – essentially, the process by which information flows inside and outside of a company is captured and depicted – will be a familiar concept to assurance executives. Barday’s point: either or both of these activities can be used to help fulfill the privacy by design provision.

When asked how he plans to demonstrate compliance of privacy by design, Esquenazi said he will use reports produced from his PIAs.

CEB recommends a five-step approach to conducting a PIA:

  • Identify which projects may create a privacy risk and direct them to a PIA process.
  • Determine whether the project calls for a full PIA (or something smaller) based on a risk assessment.
  • Assess the impact of the specific privacy risks associated with this project.
  • Explain to the project owner the dangers associated with this initiative that have been surfaced by the PIA and recommend mitigation tactics.
  • Monitor the project’s compliance status against a standardized control framework. This data will feed into a risk register that helps reveal risk patterns across workflows.

Evidence of the steps involved in the PIA can help to show organizational commitment to privacy by design.

That’s just one tack, though.

“You want to be able to document that the product teams, the designers and the app developers have gone through the different gateways around specific privacy risks and questions,” Robert Grosvenor, a Director at Promontory, a regulatory consulting firm, said at the same session as Barday.

At the end of the day, what you want to establish is a privacy-aware product life cycle, Grosvenor explained, one that has privacy baked into all relevant stages of development. Additional implementation tactics for doing that include:

  • Placing privacy experts within business functions
  • Creating guidance in accessible language
  • Reusing or inserting privacy into work by other departments whenever possible. The security team may already have a robust security-by-design process, for instance.
  • Making privacy by design an official part of company policy
  • Holding mandatory training sessions on it

Good privacy by design will help the business avoid sanctions, safeguard its reputation and save money by avoiding changes that have to be made at later stages of development when this issue has been overlooked.  Creating and storing evidence of processes that your organization may already conduct, such as a PIA or data mapping, can go a long way toward demonstrating the privacy-by-design requirement of the GDPR.


Tags: communications management
Previous Post

CCOs Cannot Ignore C-Suite Risks

Next Post

Corps Issues Regulatory Guidance Letter on Jurisdictional Determinations

Brian Lee

Brian Lee is an experienced lawyer and Managing Vice President at Gartner, where he leads research focused on turning compliance and privacy departments into high-performing business units. Gartner is a research and advisory company headquartered in Stamford, Connecticut. Gartner helps business leaders across all major functions in every industry and enterprise size with the objective insights they need to make the right decisions.

Related Posts

folder of Chinese apps blacklisted in the US (QQ, Alipay, CamScanner, WeChat, SHAREit, WPS Office)

EO Sets in Motion Ban on Transactions with Chinese App Developers and Owners

January 27, 2021
invisible man in black on neutral background

The Curious Absence of Corporate Monitors

January 27, 2021
businessmen in miniature studying volatile stock market

The Risk of Undervaluing Culture in a Volatile Market

January 27, 2021
digital cybersecurity and network protection

Vetting Vendors’ Cybersecurity

January 26, 2021
Next Post
a new regulatory guidance letter

Corps Issues Regulatory Guidance Letter on Jurisdictional Determinations

Access realtime data
Dynamic Risk Assessments with Workiva

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security internal audit KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights