What is PbD, and why does it seem so abstract?
Privacy by design is a phrase that gets thrown around frequently. But for all its mentions, does anyone really know what that means? As we start to see U.S. state laws including provisions mandating privacy by design at an operational level, understanding the slippery concept is crucial for companies, attorneys, and anyone else involved in privacy and compliance.
We sat down with three privacy experts to learn how they implemented privacy in the wild. Here's Chris Handman, TerraTrue COO, Anthony Prestia, head of privacy at TerraTrue, and Jason Cronk, president of the Institute of Operational Privacy by Design, on how you should be thinking about your own PbD program's approach, build, and execution.
What’s privacy by design?
While privacy by design has been around since the 1990s, in 2009, Ontario Information and Privacy Commissioner Ann Cavoukian published her foundational work, “Privacy by design: The 7 foundational principles.” Her basic premise was and is that privacy can’t “be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation.”
Back in the day, Cavoukian defined PbD by seven principles. She said it must be preventative, default, embedded, uncompromising, end-to-end, transparent, and user friendly.
Those are all important goals, but they’re also very abstract, expressing goals rather than processes. Chris Handman laid out a more pragmatic approach to privacy by design, organized around three central pillars: “How do you measure intake? How do you assess? And how do you future proof?”
Intake
Privacy by design is only as good as your visibility into what your team is building. If you don't have a way of capturing what's coming down the pipe from product, engineering, or HR, the game has been lost.
Assessment
How can you quickly and predictably calibrate risk, identify what needs to be reviewed and what doesn't, and get rid of the repetition that so often slows people down.
Future-proofing
Not only are privacy laws and regulations laws constantly evolving, but your teams are as well. Product teams are evolving products faster and faster. The way to keep up is to figure out ways to operate at scale.
Why has privacy by design always felt so abstract?
Privacy by design has been around for decades, so why do so many organizations still struggle to understand it? TerraTrue COO Chris Handman said it has a lot to do with its history.
“It was an idea that was kind of realized before there was a real urgency felt for it,” he said. Cavoukian’s notions of privacy by design were articulated before the GDPR and the current spate of privacy laws. And so there’s always been a slightly academic dissonance between the way PBD was framed and the way it has been evolving in day-to-day practice.”
That disconnect leads to understanding privacy by design at a high level, but lacking specifics, said Jason Cronk, president of the Institute of Operational Privacy by Design.
“Either privacy by design means that you have to design privacy into your product, or it means Cavoukian’s seven principles,” he said. “But neither of these are really actionable things.”
TerraTrue Head of Privacy Anthony Prestia calls implementation “the true substance” of privacy by design. He said you should ask yourself what pillars you want to align your programs around when it’s time to do assessments, for example.
“That means figuring out your organizational risk level, what kind of laws are going to apply to you, and what framework you want to use to think about privacy,” he said. “How do I build privacy into my business, and how am I going to get stakeholder buy-in? Because if you don't have a good intake process, you've lost the game.”
Can you do privacy by design without tech?
While technology is a crucial part of privacy by design generally, some smaller businesses can get away with not implementing technology, said Cronk.
“Sure, if you're a florist shop. You can certainly design your business processes and forms and whatever and do privacy by design with that stuff.”
However, the more technology a company uses for its business processes, the more it will need for privacy by design. Once a small company starts to implement tools like CRM, they’ll need technology to implement PBD measures, such as access control and data deletion.
“At some point you reach an enterprise level where you're going to have to have some assistance of tools to run it if it's going to be effective and optimal.”
And it goes way beyond your internal technology use. As Handman points out, there are a whole range of societal, regulatory, and business changes that are making technology more important for privacy by design.
“When it comes to privacy by design at scale today, you've got too many forces that are making the manual approach an anachronism. You just can't do it anymore. You have businesses moving faster than ever, agile development, laws that change faster than ever and have more prescriptive mandates. And you have larger engineering and product teams that vastly outnumber the people on the privacy team.”
In part 2, we’ll explain how to start implementing privacy by design at an operational level.
