Privacy by design: Five critical steps to move beyond compliance
Build customer trust and reduce compliance costs with an actionable plan for establishing privacy by design in your organization.
by Amanda Chan, Aditi Kulkarni, Ash Pembroke, Prasad Sonawane, and Thomas Tran
Focusing the privacy conversation
Everyone's talking about privacy. Recurrent security breaches, new privacy regulations, and revised company privacy policies have consumers realizing just how often their personal information is shared—and most aren't happy about it. A recent Pew Research Center study found that 79% of American adults are concerned about how companies use their personal information, 81% believe the potential risks outweigh the rewards, and 70% feel that their data is less secure today than it was five years ago.
People understand that handing over their personal information is what makes “free” services possible. However, previous research indicates that even with the added value of personalized services, many consumers still view targeted advertisements based on their data as an invasion of privacy.
Although digital platforms may offer free services, their primary business model drives revenue by aggregating and selling data via advertising. This explains why many of our clients are investing in opportunities to centralize and monetize data sets that can be valuable to the company and the public at large—if privacy is addressed effectively.
79% of American adults are concerned about how companies use the data they collect about them and 81% think the potential risks outweigh the rewards.
The costs of reactive compliance
The cost of responding to new consumer privacy regulations by reactively meeting the minimum requirements will continue to rise. GDPR in Europe was the first, then CCPA in California, now Vermont. All told, 26 US states opened or voted on consumer privacy regulations in 2019.
Regulatory environments are difficult to predict, and there are material costs to being totally reactive or treating them as individual exercises. The fundamental issue is that privacy is notoriously difficult to engineer into a product retroactively. Now that technology leaders have started calling for privacy by design to be applied as part of the product process, we’ve gathered some key concepts to help organizations move forward.
Five steps to establish privacy by design in your organization
Consider a proactive, yet pragmatic, approach to privacy. First, invest in business competencies and technology capabilities that are flexible enough to address multiple needs and also support long-term business agility. Then, leverage those competencies to create new products or marketing for existing offerings with data privacy as an added value. As you’re looking ahead on specific rulings in the regulatory space, you're proactively building readiness to efficiently respond to new interpretations.
By following the five steps below, your organization will experience improved levels of product security, user trust, and capacity to deliver exceptional user experiences.
1. Form a guardianship committee
The first step to kicking off any organization-wide effort is to align perspectives from leaders and gain executive sponsorship. Companies traditionally addressed privacy by administering policies and assigning responsibilities to a few technical specialists. Now, the stance on privacy has flipped—from the localized defensive to the systematically proactive. With our clients, we've witnessed cohesive approaches to managing privacy, data, and security. At Slalom, we define the intersection of these three parts as guardianship.
Industry-leading guardianship committees have cross-functional representation, senior visibility, and budget to implement a program-based approach. While these committees often form as a reactive response to specific regulation changes, we see a long-term opportunity to nurture the charter around privacy by design for the enterprise. An empowered guardianship committee can proactively and holistically address your organization’s ongoing agendas and upcoming strategies around privacy.
2. Conduct a privacy impact assessment
If your organization doesn't have a strategic privacy plan, establish the groundwork by conducting a privacy impact assessment:
- Audit technical and business practices that involve customer data.
- Determine what classes of information are being used and shared, and how critical they are to your business and its operating model.
- Compile an inventory of all data flows, corresponding dependencies, critical path activities, and failure points.
- Assess your data flows to identify gaps between consumer trends, regulatory requirements, and your organization’s existing processes.
Ultimately, your findings will indicate strategic opportunities to focus on as you address both immediate and long-term privacy goals.
Ensure that your implemented processes are effective by conducting internal audits on a routine basis to uncover and address gaps before they become an issue with regulators. The process for privacy audits should be established up front by scheduling recurring reviews. Once you understand what behaviors from your datasets trigger audit findings—as well as the tracking and enforcement that follows—drive quality and adaptability by exploring program enhancements such as machine learning, automated record keeping, and signal monitoring.
3. Implement a privacy framework
The key to implementing well-structured privacy by design is to evaluate and choose a framework that suits your organization’s goals. Common frameworks that our clients use include NIST, BSA, NYMITY, and GAPP. Adopting a framework provides your organization with industry-leading practices that adapt to changes in consumer preferences, regulatory laws, and ethics.
Each framework has its own set of nuances and strengths. You can adopt multiple frameworks to add layers of depth to your organization’s privacy program. For example, adopting NYMITY will implement processes that ensure coverage for GDPR. NIST is less concerned with GDPR and more focused on how to build a programmatic approach to managing privacy that may complement an existing framework within your organization, such as ISO and PCI. You can combine concepts from both NYMITY and NIST, or other privacy frameworks, to cover parameters that fit your enterprise’s privacy goals.
There is no “one size fits all” approach. Find a framework (or combination of frameworks) that works well with your organization’s existing configurations.
The stance on privacy has flipped—from the localized defensive to the systematically proactive.
4. Integrate privacy by design in product development
Traditionally, companies believed that valuable insights for solving business problems could only be gained by exposing all attributes of customer data and making that data widely accessible across the enterprise. Now we believe that teams should perform the exercise of understanding the minimum amount of data needed to produce a positive end-user experience.
Privacy by design, originally developed by Ann Cavoukian, is an approach to systems engineering that makes privacy the default expectation. Privacy becomes integral to organizational priorities and is embedded into every standard, protocol, and process. Data access is no longer freely shared, but only given with a legitimate business reason and then managed—not set and forgotten. Data is masked and anonymized when possible.
Adopting privacy by design as one of your product design principles not only embeds privacy and security within the products themselves, it also satisfies all legitimate business interests while permitting full functionality. The core difference is that privacy by design concepts not only extend to support adherence to multiple regulations and software paradigms, but also enable a dynamic approach to fulfilling the constantly evolving expectations of your customers.
5. Build a customer privacy portal
Due to the myriad of emerging regulatory requirements and evolving consumer data preferences, it's now operationally prudent to include transparency in the data supply chain. CCPA legislation, for example, provides California residents the right to know what personal information is being collected on them, understand how that information is used or sold, and request deletion of that information. Data from Pew Research also indicates that while the majority of Americans (75%) think there should be more government regulation of what companies can do with personal data, 55% think that better tools for allowing people to control their personal information themselves would be more effective for safeguarding personal data than stronger laws.
Consider building a customer privacy portal that enables customers to make decisions about how their data is managed. Empowering customers to view and manage their data will build user trust and address concerns around how companies use personal information. Transparently informing customers what data is being collected helps meet regulatory requirements while increasing long-term customer loyalty and retention.
Pragmatically approaching the future
Data is the currency of choice for companies and brands who want to build tailored consumer experiences. In the last decade there’s been unprecedented growth in companies that rely solely on data for revenue generation. Slalom views data guardianship as a core tenet to fostering a modern culture of data. The conversation is shifting towards how to deliver innovative experiences with secure PII as part of the company’s DNA and brand. Leaders who grow their organizations using privacy by design principles will future-proof their enterprise from regulators and simultaneously create beneficial customer experiences through their services, platforms, and products.
