A Practical Guide to Privacy by Design
The global regulatory environment for data protection is increasingly complex and the penalties for noncompliance are higher than ever.
October 04, 2017 at 11:54 AM
6 minute read
The global regulatory environment for data protection is increasingly complex and the penalties for noncompliance are higher than ever. Adding to this mix, enforcement of the EU's General Data Protection Regulation (GDPR) begins May 25, 2018. Failure to comply with GDPR comes with substantial financial penalties, which could range from the greater of 2 percent of a company's global revenue or €10 million for certain violations, to 4 percent of global revenue or €20 million for other offenses.
A Growing Strategic Necessity: The Importance of Privacy by Design
Among other rights and obligations, GDPR puts the concept of Privacy by Design into regulation. Despite the ubiquity of the Privacy by Design phrase, a lot of questions loom about what it looks like in practice and how to meet compliance requirements. Leading articulations of Privacy by Design touch on important principles such as end-to-end security, transparency and user-centricity. Similarly, the Information Commissioner's Office discusses performance of data protection impact assessments where a new technology is deployed, where a profiling operation is likely to significantly affect individuals; or where there is processing on a large scale of sensitive data.
But Privacy by Design isn't just a matter of regulatory requirement or impact assessments. The goal of Privacy by Design is for the business to consider privacy risk and implications at the start — and throughout the entire lifecycle — of a business process, decision or initiative. It's about how companies decide to collect, process and retain sensitive information. And these decisions about information use have become mission critical.
Corporate success is increasingly defined by access to and management of large sets of sensitive, personal information about employees and customers. For example, many organizations are using their stockpiles of data to personalize marketing campaigns in entirely new ways such as promotions built around individual buying habits. Other companies are using personal data to improve product quality or as direct sources of revenue. In fact, revenue growth rates from information-based products will double that of the rest of the product/service portfolio by the end of 2017.
But as the corporate value of sensitive information rises, consumer trust may be eroding. Eighty-seven percent of consumers believe adequate safeguards are not in place to protect their personal information. Seventy-nine percent of consumers say they would be unlikely to share data with companies they do not trust. Without adequate protections in place, companies risk turning off valuable sources of information.
Failure to build confidence in the safety of personal data will limit corporate access and use of this information. Privacy by Design is the organizational key for sustainable information management that accounts for rapidly changing regulatory and public expectations. Done correctly, it is the process that can enable information rich and increasingly digitized business to flourish.
Implementation Stalled
Given the regulatory mandate and the strategic importance, it is no surprise that eighty-five percent of Chief Privacy Officers plan to implement Privacy by Design in the next two years. Unfortunately, implementation is proving difficult. Even with years of advance notice, only 36 percent of privacy executives expect to have it implemented by May 2018. Why the implementation struggle?
The definition of Privacy by Design makes it clear that General Counsels and Privacy executives cannot simply create policies, map data flows and automate deletion processes to drive implementation. Privacy by Design requires a change in organizational mindset and behavior. Its implementation is a matter of enabling the business to act in accordance with core privacy principles. Getting the business to act requires the following:
- Broad-based Privacy Consensus: Without agreement on the right sets of behaviors, it is difficult to direct the business to adopt new considerations that, in their opinion, limits use of data. General Counsel and privacy executives need to forge senior-level privacy consensus and cascade it throughout the organization.
- Easy Implementation: The harder it is for employees to consider privacy risk in their day-to-day jobs, the less likely that they will comply. Privacy considerations need to be built into existing operations.
- Ongoing Visibility into Risk and Cost: To effectively manage risk, functional and business leaders need visibility into changing privacy risk (and costs) within operation. Executives need to know when and where risks emerge as regulations, processes and data flows change.
Without accounting for these organizational requirements, efforts toward Privacy by Design will fail to meaningfully take hold across an organization.
A Path Forward
Implementing Privacy by Design is therefore about creating the organizational conditions that allow policies and requirements to take hold in the business. General Counsel and privacy executives must:
1) Build a Privacy Risk Consensus by facilitating agreement on the right approach to data collection and use at all levels of the organization. This means facilitating stakeholder discussions about privacy risks, discussing tradeoffs of different privacy approaches and documenting conclusions in privacy statements and operational guidance. Business leaders should collaborate on privacy guidance to ensure business relevance and to reflect senior-level support.
2) Build-in Privacy Considerations to become natural parts of business systems and processes. This means working with business and function leaders to build privacy into existing business systems and workflows, avoiding extra steps and handoffs and achieving business (not just Privacy function) objectives.
3) Ensure Ongoing Visibility into changing privacy risk and the effectiveness of risk management activities. This requires standardization of incident root causes, tracking of PIA mitigation and shared access to privacy dashboards. Privacy by Design cannot take hold without process for tracking new and changing uses of information.
Collectively, these three components—privacy risk consensus, built-in privacy and ongoing visibility— define successful, sustainable implementation of Privacy by Design because they incorporate business and functional stakeholder needs into decision-making. Without these three components, efforts to improve privacy risk management will fail to be effective. And a failure doesn't just risk regulatory fines, but the loss of critical information processing capability.
Abbott Martin is a legal research leader at CEB, now Gartner, a research and advisory company headquartered in Stamford, Connecticut.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Legal Departments’ Lack of Third-Party Oversight Leaving Small, Midsized Banks Exposed
4 minute read
Ten Best Practices to Protect Your Organization Against Cyber Threats
7 minute read
SEC Fines 4 Companies $7M for Downplaying Breaches Tied to Massive SolarWinds Hack
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
