The concept of Privacy by Design (PbD) — or building privacy into technology and processes from the start — is nothing new. What is new is that it is now a legal requirement for many organizations.
Privacy by Design is one of the many obligations under the new European Union General Data Protection Regulation (GDPR). And it's another case where more connections between the Chief Privacy Officer (CPO), Chief Information Security Officer (CISO), Chief Information Officer (CIO) and IT will be needed. The GDPR requires PbD by default — so what was formerly considered a best practice is now a mandate that needs to be operationally demonstrable.
Baking Security In
Businesses traditionally perceive privacy as the place “IT goes to die” and that security leads with “no.” Whether true or not, this is an ineffective way to build a collaborative team.
Instead, security and privacy officers, as well as general counsel, need to take the steps to bake privacy in as a fundamental ingredient of their development lifecycles. Privacy must be embedded in every step of the process — from the whiteboard stage of a new IT project, program, system or campaign, through the design, development, quality assurance and release of the very same system.
When privacy and data protection officers partner with their IT and business colleagues, they gain key executive sponsorship and cooperation with their lines of business.
However, most privacy program offices are small compared to the whole organization. They are tasked with ensuring compliance with many different standards to manage sensitive information internally and externally.
Their workload means they cannot take part in every discussion contemplating a new IT system, program or campaign. What they can do is develop a framework for IT to use to incorporate privacy into their line of business programs, IT systems and processes.
So how can this work operationally?
Anyone who has built a home knows it's better to get the plans right in the beginning to avoid expensive, last-minute changes. Implementing a standardized and repeatable process where privacy is involved at the start of a project provides advice, guidance and review every step of the way.
Consider using automated tools so colleagues can request a privacy impact assessment (PIA) of the systems they are planning to build and deploy — which provides a reasonable estimate and timeline. Involvement early on will help avoid last minute design changes or decisions.
While many organizations already conduct PIAs as part of a statutory or regulatory obligations, the GDPR will soon mandate them.
PIAs, like security assessments, provide a good foundation to assess the potential and ongoing risk of systems and data flows within them, allowing privacy and data security teams to recommend and monitor appropriate controls. A programmatic approach like this allows privacy program managers and data protection officers to develop a service level agreement (SLA) with their colleagues in IT and the business.
Oversight From the Start
What would this look like in practice? Start by creating a new mandatory procedure — a quick and automated approval process — that all new IT systems, programs, campaigns or processes must go through before moving forward. Require this for all departments. Whether an idea is born in IT, marketing or at the business unit level, apply this process.
Privacy, data protection and security teams can at this point provide feedback recommending appropriate procedures and technical controls to ensure that sensitive data is made available to people who should have it and protected from those who should not.
Having this information at the beginning of a project allows important data lifecycle management provisions to be built in that ensure data is only retained as long as necessary. Archive or destroy the data at the end of the program as needed to minimize risk to the business.
This model puts privacy, data protection and security checkpoints into the project from the concept stage all the way through development, testing, go-live, production and end-of-life. As a mandatory element of any new program, PbD now becomes the standard way of doing business, not an additional burden.
Privacy by Design as Productivity Enabler, Not Inhibitor
Making it easier for employees to do their jobs while creating an ever-present culture of compliance requires organizations to adopt a risk-based approach to implementing their data protection programs. While that often starts with the legal and compliance team and ends with the CISO, it needs to focus on a day in the life of the everyday business user as well.
Help your IT colleagues and business users think of privacy and security controls as a productivity enabler rather than an inhibitor. While it may add a few steps to the overall process, a breach due to lack of privacy controls will cause any project to come to a screeching halt.
PbD allows organizations to realize the full potential of the data they hold, while maintaining compliance with external regulations and internal policies. With this approach, employees can work with full confidence in the data protection elements you’ve built in.