Discussing the Essential Ingredients for Privacy by Design

Many firms struggle with Privacy by Design, as unlike most other compliance requirements, it does not have a definitive outcome. Implementing Privacy by Design requires a fundamental change in the corporate mindset and impacts some of the most critical business processes. In particular, it affects those linked to innovation, product/software development and the application of data science, analytics and AI.

Organisations across all industries, but especially highly regulated ones such as hi-tech, media, healthcare and financial services, need four essential ingredients to support a successful privacy by design initiative. These include:

1. Early visibility of projects. Privacy and data governance teams need a mechanism to gain visibility of projects and initiatives involving the processing of personal data. Often one of the challenges is that privacy leaders aren’t aware of a project until an issue becomes critical, which can lead to greater risk exposure, project delays, increased costs and rework.
2. Ownership and accountability. Clear roles and responsibilities must be defined for privacy compliance across numerous business functions. For example, software development or product management processes need to be adapted to include privacy checks and gates requiring approval or sign off by the designated stakeholders. At the same time, this must be proportionate for the organisation and not overly demanding. A potential route is to extend or mimic existing information security processes, which are often more mature.
3. Organisational models and lines of communication. Privacy by Design relies heavily on collaboration, communication and transparency. Having a robust data governance framework and an adequately resourced privacy function are essential. It is also critical to have clear communication and good working relations between the chief data officer (CDO) (or equivalent), privacy and information security teams. They need to collaborate effectively and develop a good working relationship with IT and product/project teams.
4. Executive sponsorship and culture. Establishing a strong culture of data and privacy awareness can have a huge impact on success. Executive sponsorship and a clear tone from the top are needed to reinforce the importance of putting privacy and data considerations at the heart of an organisation. Linking the changes or additional effort to business benefits and value creation are also critical. Example metrics include improved productivity, reduced time to market or development costs, increased customer satisfaction and reduced risk.

Applying the principles of privacy by design can yield sizable benefits to any organisation harnessing automation and analytics in the processing of personal data. With the increased use of AI systems and automated decisions, this is only becoming more relevant. These benefits apply to both customer (or market) facing products and initiatives and internal, employee and operational efficiency programmes.

I’ll be discussing this topic during our presentation session, ‘Privacy by Design — How a Privacy Culture Can Drive Innovation’ at 11:00 a.m. on Thursday, 24th March 2022, at IAPP’s Data Protection Intensive 2022, in London. I’ll be joined by Gloria Greco (Stryker) and Odvar A. Bjerkholt (BT) to share perspectives and experiences from our current projects and hear insights from privacy experts in the telecoms and medical device industries. So please join our session and visit us at stand 14 in London if you are attending.

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.