When advising clients on Privacy by Design (PbD) implementation, I often feel like the voice in his or her head is saying, “I see your lips moving, but all I hear is blah, blah, blah.” After experiencing those moments a few times, it occurred to me how professionals living in the PbD space are speaking a different language from business owners, product and service designers, and those in charge of privacy compliance for their organization. The purpose of this article is to demystify PbD (a bit), and to offer some practical advice for businesses looking to implement PbD in its products and services.
As an initial matter, it is important to define what is meant by personal information. The days of personal information being limited to first name or initial and last name, plus social security or driver’s license number, or financial or health information, are quickly coming to an end. Coming on the heels of the General Data Protection Regulation (GDPR) in Europe, many US states have implemented or are considering laws that define personal information as any information that identifies a person or household. That is an extraordinarily broad definition, and why PbD is going to be so crucial going forward, even if not legally required. (PbD is legally required under GDPR, which is an extraterritorial law that affects your business if you collect personal information from consumers while they are physically located in the European Union, regardless of that consumer’s nationality.)
PbD is not a new concept. In fact, the PbD concept was created by Ann Cavoukian in the 1990’s. The PbD framework was published in 2009, and quickly adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities. The framework itself, while excellently stating the concepts, does very little to assist a business with practical execution.
The PbD framework has seven foundational principles:
Proactive not Reactive; Preventative not Remedial. The PbD, approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen. PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred – it aims to prevent them from occurring. In short, PbD comes before-the-fact, not after.
Privacy as the Default. We can all be certain of one thing − the default rules! PbD seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice. If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy − it is built into the system, by default.
Privacy Embedded into Design. PbD is embedded into the design and architecture of IT systems and business practices. It is not bolted on as an add-on, after the fact. The result is that privacy becomes an essential component of the core functionality being delivered. Privacy is integral to the system, without diminishing functionality.
Full Functionality – Positive-Sum, not Zero-Sum. PbD seeks to accommodate all legitimate interests and objectives in a positive-sum “win- win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. PbD avoids the pretense of false dichotomies, such as privacy vs. security, demonstrating that it is possible, and far more desirable, to have both.
End-to-End Security – Lifecycle Protection. PbD, having been embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved – strong security measures are essential to privacy, from start to finish. This ensures that all data are securely retained, and then securely destroyed at the end of the process, in a timely fashion. Thus, PbD ensures cradle to grave, secure lifecycle management of information, end-to-end.
Visibility and Transparency. PbD seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification. Its component parts and operations remain visible and transparent, to both users and providers alike. Remember, trust but verify!
Respect for User Privacy. Above all, PbD requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options. Keep it user-centric!
Now that you have those PbD principles in mind, how can your business best execute its PbD efforts? While there is no roadmap that fits every business, after advising many clients on that very question I offer the following as suggestions to begin your journey:
Support from the highest levels is crucial
When the leadership of an organization leads by example, those that look to leadership for guidance will emulate and embrace the same principles and priorities. It is an absolute must that all levels of leadership embrace PbD and the challenges, consequences, and rewards that come from it. If there is limited, or no, or only lip service support of PbD by leadership, PbD will be dead on arrival and the efforts to execute PbD will suffer the same fate.
Appoint a privacy champion
There is no right or wrong approach to this step, but it is important to have at least one individual responsible for, and empowered to, make privacy and PbD efforts a priority. This person may be a Chief Privacy Officer, a Data Protection Officer (more likely if your organization is subject to GDPR), an associate general counsel in charge of privacy efforts, or similar title. This person is your privacy hero, the person you can trust to execute the organization’s PbD efforts so that other leadership can focus on their responsibilities while simultaneously supporting these PbD efforts.
This person must be someone that has a strong background in data protection and privacy laws. There are many backgrounds that can fill this role, although I have seen organizations have the most success with privacy attorneys filling this role because of their risk adverse nature, analytical ability, and problem solving skills. Attorneys often have much more comfort saying “no” to an overzealous marketing or alternative revenue scheme.
Finally, this person must have authority to make decisions, have the confidence to make those decisions and not become paralyzed at difficult times, and be an individual that those being advised by this person will accept and trust that person’s answers and direction.
Utilize Privacy Impact Assessments (PIA)
Required under GDPR, properly using a PIA at the outset of the creation of any new product or service will ensure an organization will execute its PbD efforts with the greatest likelihood of success. If an organization succeeds at PbD without the use of a PIA, it was pure luck.
A PIA can be executed in many ways, and each organization must come up with one that best works with its products/services and how its business operates. When assisting clients with the creation of their PIA, I have not had two clients that have the same considerations, questions, or priorities. At a high level, a PIA would consist of:
Criteria to determine if a PIA is necessary. An assessment of what data is collected, how it is used and shared, and what controls can be given to the consumer over the use, collection, storage, dissemination, and destruction of that data.
Determine and document how the data flows for the product/service will function.
How does the organization collect from the consumer?
Will the user unilaterally share data with other users of the product or service, with third parties?
Will the organization share any data with the user?
Will the organization share any data with its service providers?
Will the service provider share any data with any third parties, either for additional services or as a further sale?
For the data that is collected, what are the privacy and data protection risks facing the organization. Is there anything unique about that data (e.g. PCI, HIPAA, GLBA, CCPA, GDPR regulated data)?
For the challenges identified in the above steps, identify, evaluate, and document the solutions to those problems.
Come to a consensus on the agreed steps and formally sign-off.
When moving forward with the product or service project plan, determine how to best implement the PIA into the project plan. Work through the entire project plan, interjecting the PIA whenever appropriate.
Treat the PIA as an ongoing effort, and include all internal and external stakeholders at the outset and during the creation of the PIA, during the execution of the project plan, and on an ongoing basis once the product or service is launched and as modified over time.
Focus on consumer choice on privacy-related decisions
What is the biggest philosophical change for most organizations is giving the consumer almost unlimited choice in how their information may be collected, used, shared, and kept. This approach is required by existing laws in both Europe and the United States, with more than a dozen states (as of this writing) considering the same requirements and restrictions. The privacy notice getting by with “we may use your data in other ways we believe may be of interest to you” and gone or quickly fading.
The best PbD approach opts out by default of any unnecessary collection or sharing, forcing a consumer to affirmatively opt-in to such collection or sharing. We commonly see this approach with opt-in boxes that are not pre-ticked. PbD and recent privacy laws are the reason for this new approach and is the future of the collection of personal information from consumers.
Rarely let budget drive privacy-adverse decisions
The privacy champion that we determined above is absolutely essential and largely will be divorced from budgetary concerns when making privacy-related decisions. This will fly in the face of others, such as the Chief Financial Officer or project owner. That dichotomy does not have to lead to paralysis, and one of the new roles of upper management is to ensure that the bottom line does not drive poor consumer privacy decisions.
Any organization must consider the economics of a new product or service. The PbD approach is to find one or more ways to have an economically successful product or service while still giving the consumer wide control over the further use of the information collected (e.g. make money without also selling that consumer information to third parties for marketing purposes).
Dispose of data when no longer needed
Another PbD principle that may be difficult for an organization is to dispose of data when it is no longer needed. If nothing else, defining “when no longer needed” will lead to some opposing interests and possibly expanded definitions of “when no longer needed.” Ultimately, if data is collected from a consumer to provide a one-time product or service, that data should only be kept as long as necessary to deliver the product or service. Certainly the organization can keep transactional data to document the transaction, provide warranty or recall service, as required by law, and as may be anonymized for internal metrics purposes. (Note that “anonymous” and “pseudo-anonymous” data may not mean what you think, and you should review this closely before making any assumptions.)
A data retention program is an excellent undertaking and approach for an organization to tackle this data disposal challenge. A properly maintained data retention program will consider the data collected on an ongoing basis, as the data, purposes, and sharing of that data may change with any given new product or service.
Develop a well thought-out and comprehensive privacy notice
Disclosure of what categories and specific data is being collected
The reason for the collection of that data
With whom is that information is being shared, such as third party vendors, marketing partners, and purchasers of the data
How long is the organization retaining that data
What rights does the consumer have (e.g., right to be forgotten, right to know what data is on hand, right to correct data, right to know with whom data was shared), and how does the consumer exercise those rights. These rights are dictated by applicable law, although the organization can make these rights available to all consumers and/or expand the rights
Investigating and accurately reporting the above information in a Privacy Notice is not a light undertaking, and requires input from multiple organizational departments (e.g. Human Resources, marketing, information technology, social media, web site and mobile apps). If your organization has avoided being subject to one of the new consumer privacy laws and has not already been forced to discover answers to the above questions, such as through data mapping, it is just a matter of time until you will be forced. A prudent choice would be to undertake this project now, not when your organization will be facing a deadline.
No organization is going to have the same journey when implementing PbD. Some will find a culture that welcomes the effort and others will struggle because of entrenched mentality or fear of change. The latter cultures will not survive, that is no longer a question. The correct question to ask is how to implement your PbD program with the approach, best attitude, and winning support that will make the path forward the most rewarding and least disruptive.