Cyber Risk Advisory
Privacy-By-Design… Not by Accident
The concept of privacy-by-design was actually devised almost 30 years ago by Ann Cavoukian, PhD, former Ontario Information and Privacy Commissioner. If you’re reading a blog about privacy, chances are good you have at least a passing familiarity with Dr. Cavoukian’s seminal contribution to the field. The seven foundational principles (full document here) work together to achieve privacy goals by making them central to how the organization conducts business:
- Proactive, not reactive, preventative not remedial.
- Privacy as the default setting.
- Privacy embedded into design.
- Full functionality – positive-sum, not zero-sum.
- End-to-end security – full lifecycle protection.
- Visibility and transparency – keep it open.
- Respect for user privacy – keep it user-centric.
Even though privacy-by-design was developed to create greater privacy protection than can be achieved through regulations, many companies still treat it as another compliance requirement. As a result, privacy is too often addressed from a basic policy approach – for example, by simply adhering to GDPR Article 25, “Privacy by Design and Default,” and calling it good. In the early days of GDPR, Coalfire Privacy saw many “Privacy by Design” policies making blanket proclamations that all products would be designed with privacy as the default, while offering no methodologies, process gates, or acceptance criteria to make the policy enforceable or even useful.
Privacy-forward strategy promotes company progress
Privacy as a feature has become more commercially important in recent years. Savvier organizations use privacy-by-design principles to support better product design and release strategies, requiring privacy checks at various stages of product development, and even baking it into their DevOps lifecycle. This is progress! Privacy can’t be added as an afterthought any more than security or quality, and companies who rely on privacy as a differentiator are enjoying some real success with these approaches.
But as with security and quality, bigger gains await. Building privacy into the company’s core values and becoming truly privacy-forward requires the organization to take a hard look at its daily operations beyond product development. This is a multidisciplinary exercise involving discussions across departments and functions to develop a detailed understanding of end-to-end business processes. It allows everyone to describe their role in the process, what data or inputs they receive, how they use (or don’t use) those inputs, and what they produce that will then be consumed by the next department or function. Consider the familiar process of developing a new product, which involves representatives from various departments that must collaborate and understand their roles, and to now assure privacy protocols at every stage:
- Marketing: the addressable market, competition, opportunities, features, and price point.
- Sales: current customer requirements and challenges.
- Legal/compliance: regulatory and contractual risks and requirements that impact design, features, permissible data collection and retention, and notice and consent election requirements across jurisdictions.
- Product management: requirements, fit and function within the existing product portfolio, design considerations, and technology.
- Engineering: technical design, implementation details, quality, timelines, and cost.
- Operations: deployment and support requirements, potential conflicts with existing processes.
- Infosec: security requirements and implementation.
Why collaboration is critical
Getting these groups together to discuss the complete process can result in a clear-eyed and highly actionable view of how the company develops new products. As a bonus, it often identifies surprising inefficiencies, misunderstandings, and avoidable problems. From a privacy perspective, the entire process can be fine-tuned by those who best understand it to ensure that data collection, processing, and retention closely align with the company’s market objectives, regulatory and compliance requirements, customer expectations, and technology capabilities. If practiced with care, privacy-by-design results in a highly efficient and effective privacy-forward organization.