3 minute read 20 Oct 2020
Man listening to music and using his smartphone in a capsule hotel

How to successfully embed a culture of Privacy by Design

By EY Americas

Multidisciplinary professional services organization

3 minute read 20 Oct 2020

Protecting personal data, and how it is gathered, stored and used has taken on a new urgency as a result of fast emerging technologies.

In brief
  • Privacy by Design is the concept of embedding privacy into any new product, system or process at the point it is being conceptualized and developed.
  • New apps and smart technologies are accelerating Privacy by Design requirements, meaning a "one size" privacy strategy rarely fits all.

Privacy, defined variously as the state in which one is not observed or disturbed by other people, has a broader meaning in the context of, for example, the General Data Protection Regulation (GDPR) in the EU and California Consumer Protection Act (CCPA). Here, it is more about protecting personal data. Specifically, how it is gathered, stored and used.

Getting it wrong can be costly. Since the introduction of GDPR, cumulative fines from EU supervisory bodies have totaled close to €0.5b (US$0.58b), some relating specifically to breaches to Article 25 – Privacy by Design. In the US, the figure is even more disturbing – more than US$20b – shared out between several high-profile transgressors.

Fines for non-compliance continue to be served on organizations.

€0.5 billion

Cumulative fines from EU supervisory bodies to-date.

Organizations are collecting, storing and using personal data more than ever through a host of fast-evolving technologies that are already known. Products and services – like smart cars, smart meters and smart homes connected through the Internet of Things (IoT) – create new challenges in the management of personal data. Arguably, an even greater challenge is those technologies that are yet to come.

Few would have envisaged the COVID-19 pandemic; fewer still the emergence of dedicated tracing applications and the privacy implications that mass surveillance and monitoring would bring. Recent findings from the EY Global Consumer Privacy Survey 2020 found that the pandemic makes consumers more willing to share personal data for the benefit of the greater good. However, trust is still a significant issue. Almost half (47%) of consumers globally don't trust their governments to use their data beyond its stated purpose. 

In a complex world, businesses need to consider and implement controls and measures to safeguard the privacy rights of individuals and safeguard their own organizations to comply with stringent regulations. But this is not about ticking boxes; it is about embedding a new culture and shifting a mindset that sees privacy at the heart of any new technology, system or process being designed. More than this, it is about re-engineering existing systems with a fresh eye on privacy, and a new respect for the risk of falling foul of the regulators and the law.

Designing privacy into any new product, system or process

Privacy by Design is the concept of embedding privacy into any new product, system or process when it is conceptualized and as it is being developed.

From a new app or Smart Technology to the latest advertising campaign or marketing initiative, an early focus and understanding of privacy have clear benefits. It helps to "design-in" essential privacy safeguards and improves financial and operational efficiencies. It helps build trust and loyalty within a brand and removes the challenge of managing and storing data needlessly, and all the issues this can cause. It similarly removes the likelihood of retrospective and often costly privacy features being required. A further benefit is that it serves to design "out" the likelihood of any regulatory fines and penalties. Simultaneously, the concept of "privacy by default" helps build consumer trust and a best-in-class reputation.

Crucially, however, Privacy by Design is not only about the "new." Organizations can also take a transformative approach and apply privacy principles to existing applications, business processes and supporting infrastructure. It enables organizations with legacy IT platforms to apply certain principles retrospectively, taking a risk-based approach based on operational and commercial priorities. This mitigates risk where possible and applies intermediate solutions if needed, pending a more permanent answer.

Infusing Privacy by Design within the wider organization

Infusing Privacy by Design is a desirable mechanism for any organization confronting the challenge of managing personal data. What is essential is that "privacy" is not seen simply as the sole domain (and therefore the sole responsibility) of the privacy officer. It should embrace and be embraced by the whole of the organization.

Even though Privacy by Design has been around for more than 30 years, many privacy professionals are still challenged as to the best place to start embedding the concept within their operations.

Imagine you have been recently appointed as Head of Privacy and have been tasked with transforming the organization's privacy practices. What actions should you take within the first 90 days?

To begin with, it is important to understand that no one-size-fits-all solution. To be effective, any Privacy by Design strategy needs to be tailored around your own organization's culture and working practices. That said, there are perhaps five general steps you can take to infuse Privacy by Design thinking in your people:

1. Raise awareness and build your network

Create awareness of your role and the concept of Privacy by Design. Showcase the advantages that embedding privacy within the design of new processes and products can bring. Be positive and show you can bring value to the teams you are going to support. Build your network within the organization, identifying who will benefit from embracing Privacy by Design most. Surprisingly, you might find allies across various departments, from the commercial teams to IT.

2. Align with senior management and get their buy-in

Senior management will be your greatest ally in this journey because they can provide the right level of support to infuse Privacy by Design at every level. Make them understand the value of embedding privacy within product and services you deliver to your end-customers, as well as to internal stakeholders. Demonstrate that Privacy by Design will help build customer trust, but it will also generate value for the organization and help them comply with global data protection regulations. Find ways of explaining the benefits in a language they will understand.

3. Understand the project's lifecycle, identify and be involved in key projects as early as possible

Get an understanding of the most important projects and select those with the highest visibility and high "payback" in terms of results. Proactively reach out to the project owners providing an overview of the benefits of a Privacy by Design strategy. This is a crucial component, as it is here that the value of Privacy by Design will be measured in the field and success stories will support your case. Take a positive and collaborative approach; do not behave or appear to be a roadblock.

4. Recognize the organization's capabilities and build upon them

Depending on your organization's maturity, there might be different tools and solutions in place – but at least something is out there. Identify the key technologies and mechanisms that may have implemented "ad-hoc" on specific products that can support a privacy strategy. Re-use successful strategies into the projects you are supporting, and foster cross-referencing and collaboration between teams to accelerate knowledge transfer.

5. Define a roadmap for Privacy by Design

While working on the operational, short-term actions, start working on a longer-term strategy. Establish a vision and develop a long-term plan to infuse privacy into the culture of the organization. The roadmap should involve how and when privacy tools and privacy-enhancing technologies are implemented, how best to educate and inform those who are most directly affected, and how to ensure data is used within the boundaries of your organization's ethical structures.

The concept of Privacy by Design has traveled a long distance in a comparatively short period of time. To succeed, organizations cannot afford simply to come along for the ride. They need to be an integral part of the journey.

Summary

Safeguarding the storage and usage of personal data is paramount as fast-emerging apps and smart technologies accelerated the need for an effective Privacy by Design strategy. This strategy must be embraced by the whole organization, complemented by its culture and working processes. How to define this strategy and build upon early success in the first 90 days are keys to a successful implementation. 

About this article

By EY Americas

Multidisciplinary professional services organization