Organizations are collecting, storing and using personal data more than ever through a host of fast-evolving technologies that are already known. Products and services – like smart cars, smart meters and smart homes connected through the Internet of Things (IoT) – create new challenges in the management of personal data. Arguably, an even greater challenge is those technologies that are yet to come.
Few would have envisaged the COVID-19 pandemic; fewer still the emergence of dedicated tracing applications and the privacy implications that mass surveillance and monitoring would bring. Recent findings from the EY Global Consumer Privacy Survey 2020 found that the pandemic makes consumers more willing to share personal data for the benefit of the greater good. However, trust is still a significant issue. Almost half (47%) of consumers globally don't trust their governments to use their data beyond its stated purpose.
In a complex world, businesses need to consider and implement controls and measures to safeguard the privacy rights of individuals and safeguard their own organizations to comply with stringent regulations. But this is not about ticking boxes; it is about embedding a new culture and shifting a mindset that sees privacy at the heart of any new technology, system or process being designed. More than this, it is about re-engineering existing systems with a fresh eye on privacy, and a new respect for the risk of falling foul of the regulators and the law.
Designing privacy into any new product, system or process
Privacy by Design is the concept of embedding privacy into any new product, system or process when it is conceptualized and as it is being developed.
From a new app or Smart Technology to the latest advertising campaign or marketing initiative, an early focus and understanding of privacy have clear benefits. It helps to "design-in" essential privacy safeguards and improves financial and operational efficiencies. It helps build trust and loyalty within a brand and removes the challenge of managing and storing data needlessly, and all the issues this can cause. It similarly removes the likelihood of retrospective and often costly privacy features being required. A further benefit is that it serves to design "out" the likelihood of any regulatory fines and penalties. Simultaneously, the concept of "privacy by default" helps build consumer trust and a best-in-class reputation.
Crucially, however, Privacy by Design is not only about the "new." Organizations can also take a transformative approach and apply privacy principles to existing applications, business processes and supporting infrastructure. It enables organizations with legacy IT platforms to apply certain principles retrospectively, taking a risk-based approach based on operational and commercial priorities. This mitigates risk where possible and applies intermediate solutions if needed, pending a more permanent answer.
Infusing Privacy by Design within the wider organization
Infusing Privacy by Design is a desirable mechanism for any organization confronting the challenge of managing personal data. What is essential is that "privacy" is not seen simply as the sole domain (and therefore the sole responsibility) of the privacy officer. It should embrace and be embraced by the whole of the organization.
Even though Privacy by Design has been around for more than 30 years, many privacy professionals are still challenged as to the best place to start embedding the concept within their operations.
Imagine you have been recently appointed as Head of Privacy and have been tasked with transforming the organization's privacy practices. What actions should you take within the first 90 days?
To begin with, it is important to understand that no one-size-fits-all solution. To be effective, any Privacy by Design strategy needs to be tailored around your own organization's culture and working practices. That said, there are perhaps five general steps you can take to infuse Privacy by Design thinking in your people:
1. Raise awareness and build your network
Create awareness of your role and the concept of Privacy by Design. Showcase the advantages that embedding privacy within the design of new processes and products can bring. Be positive and show you can bring value to the teams you are going to support. Build your network within the organization, identifying who will benefit from embracing Privacy by Design most. Surprisingly, you might find allies across various departments, from the commercial teams to IT.
2. Align with senior management and get their buy-in
Senior management will be your greatest ally in this journey because they can provide the right level of support to infuse Privacy by Design at every level. Make them understand the value of embedding privacy within product and services you deliver to your end-customers, as well as to internal stakeholders. Demonstrate that Privacy by Design will help build customer trust, but it will also generate value for the organization and help them comply with global data protection regulations. Find ways of explaining the benefits in a language they will understand.
3. Understand the project's lifecycle, identify and be involved in key projects as early as possible
Get an understanding of the most important projects and select those with the highest visibility and high "payback" in terms of results. Proactively reach out to the project owners providing an overview of the benefits of a Privacy by Design strategy. This is a crucial component, as it is here that the value of Privacy by Design will be measured in the field and success stories will support your case. Take a positive and collaborative approach; do not behave or appear to be a roadblock.
4. Recognize the organization's capabilities and build upon them
Depending on your organization's maturity, there might be different tools and solutions in place – but at least something is out there. Identify the key technologies and mechanisms that may have implemented "ad-hoc" on specific products that can support a privacy strategy. Re-use successful strategies into the projects you are supporting, and foster cross-referencing and collaboration between teams to accelerate knowledge transfer.
5. Define a roadmap for Privacy by Design
While working on the operational, short-term actions, start working on a longer-term strategy. Establish a vision and develop a long-term plan to infuse privacy into the culture of the organization. The roadmap should involve how and when privacy tools and privacy-enhancing technologies are implemented, how best to educate and inform those who are most directly affected, and how to ensure data is used within the boundaries of your organization's ethical structures.
The concept of Privacy by Design has traveled a long distance in a comparatively short period of time. To succeed, organizations cannot afford simply to come along for the ride. They need to be an integral part of the journey.