Privacy professionals generally understand, at least conceptually, what it means to implement privacy by design. If further guidance is needed, we can look to the NIST Privacy Framework or ISO 27701. If we want to better anticipate regulator expectations around PbD, we can refer to the European Data Protection Board Data Protection by Design and by Default Guidelines or U.K. Information Commissioner's Office guidance, among other resources. We can even go back to the original seven foundational PbD principles pioneered by Ann Cavoukian if we need a refresher on core PbD concepts. And if you search for "privacy by design implementation," you'll encounter a deluge of material from consulting firms and privacy tool vendors that tell you to "bake in" privacy controls or that provide high-level commentary on the EU General Data Protection Regulation's Article 25 (if you provide your email address, of course).
But where do you actually begin? While it may be obvious that privacy controls should be embedded into new products, features and processes that collect and use personal information, how do you get your product team to even consider such controls? How do you effectively evangelize the importance of PbD across the entire organization in a way that resonates across functions? And then how do you make your PbD processes self-sustaining? In other words, before you bake privacy controls into your products, how do you "bake" privacy into the organization?
As a concept that businesses subject to the GDPR are now legally obligated to implement via "appropriate technical and organizational measures," it might be fitting to share a few pragmatic tips on operationalizing PbD from a governance perspective on the regulation’s two-year anniversary, which was May 25. Overall, this article aims to provide privacy professionals with examples of how PbD programs have been practically executed in organizations of varying cultures, resources, technology and products.
This guidance is based on the experiences of myself, with additional insight from Dropbox Director of Privacy Sarah Pipes, CIPP/US, CIPT, FIP, and Facebook Global Security Compliance and Privacy Head Kathy Del Gesso.
Obtain C-level support
To make a significant change to company culture, you need executive-level support. This is truly non-negotiable. C-level messaging is even more crucial if you are building a privacy program from scratch. "With most initiatives, the importance of executive-level buy-in and support cannot be overstated," Facebook's Del Gesso said.
While getting executive-level buy-in seems straightforward, it’s not always easy. Depending on the organization and your place in the hierarchy, you may need to work your way up to the executive team. Fortunately, during my first few days of building Tinder's privacy program, I was able to get on the CEO's calendar to pitch the importance of PbD (20 minutes to be exact). On the same day, he sent out a companywide communication in support of my cause, and within 24 hours, I had an inbox full of meeting requests from every business unit vice president and an invite to present at the next all-hands. "Privacy and related PbD and essential topics should be reiterated from the top down," Del Gesso added. "It starts with leadership setting the tone to highlight the company commitment."
Make sure people know who you are and why you exist
While a C-level communication will get people to listen, you’ll want to get an audience to reinforce your mission and allow companies to put a face to the name. Del Gesso agreed and suggested the importance of PbD "can be amplified with a combination of CEO communications and all-hands meetings." Company all-hands and town halls provide a rare opportunity where you have everyone's attention. It’s through an all-hands that I introduced Tinder employees to the company's broader GDPR strategy, which included a walkthrough of the importance of PbD and when and how to trigger a data protection impact assessment. Knowing that every business group would be represented, I made sure my presentation included examples of privacy controls that were relevant to each specific function.
Get invited to the right meetings
After people know who you are and your mandate, it should be easier to embed yourself into day-to-day operations. But note that the various teams with whom you are working often won't know off the bat that you should be invited to their daily syncs, weekly standups or quarterly touchpoints. Make it a point to ask business unit directors and vice presidents where new features are discussed, problems solved and decisions made. "[I]dentifying the ideal interaction points/hooks into functional teams’ processes is the first step to ensuring PbD elements and other requirements are implemented," Del Gesso said.
Be aware that identifying where you fit in might be an exercise in trial and error. At Tinder, I found that it made sense to attend weekly product and engineering syncs to see what was coming down the pipe, reinforce PbD messaging and to get progress updates from the various teams, but it became redundant for me to sit in on daily scrums. Del Gesso recommends "facilitating focused discussions with product managers, technical program managers, or whoever the critical stakeholders are to learn what will be the least disruptive to the business and gain buy-in."
And make sure to identify your counterparts in other compliance groups who are likely attending the same meetings you should be. "Leverage your partner team like privacy/product counsel, security and compliance. They are knowledgeable and often have similar goals," Dropbox's Pipes said.
Leverage existing company tools and resources to automate PbD
To truly "integrate privacy" into a company's day-to-day operations, it’s crucial to use the same language, tools and processes used by your internal customers (e.g., Product, Engineering, and Marketing teams). This is especially important in tech, where the SDLC is an efficient machine. Dropbox is no exception, Pipes said.
"When working with other teams, we use the tools that those teams already leverage, from our product launch catalog to workflow management tools," she said. Similarly, at Tinder, I was introduced to a well-known ticket management and document collaboration tool, which I learned to master in a few weeks and that I leveraged to facilitate (and eventually automate) the PbD review process within engineering teams. I also worked with a security engineer to set up a process that automated notifications to the privacy team inbox every time a new S3 bucket had been created and that also notified the "bucket owner" that a privacy review was required (i.e., if the resource stored personal information.
In addition, I showed one of my clients how to implement a useful app integration in Slack, his company's messaging platform (and the only way his engineering team communicated), which provided him the ability to trigger his chosen privacy vendor's privacy impact assessment process through a simple chat command. Mastering and integrating with existing company resources and tools familiar to the teams with whom you work is essential.
Learn as much as you can about the product
In addition to learning how to best collaborate with your teams, it's important to demonstrate that you understand the product beyond a compliance perspective. "Our Privacy team puts a lot of effort into learning what we can about the product, feature or other change at hand before meeting with our business partners," said Pipes, adding that this includes studying documentation and any prior assessments. "We find an immediate return on the time invested since we become both better partners and better educated overall."
For me, at Tinder, this was also true. I found that coming to meetings with a thorough understanding of the feature being deployed, vendor being considered or technology being developed demonstrated to stakeholders that I was invested in the product as a whole and not just conducting an exercise in compliance. "Coming to the meeting already educated reduces the burden on your business partners and increases your odds of a fruitful partnership," Pipes added.
Assess against the appropriate framework
In addition to identifying the venues through which PbD reviews can be most efficiently triggered, what's equally as important is establishing an appropriate framework against which you'll assess these new features, products and processes. And the right framework really depends on the specifics of your organization.
"The key again is finding the right-sized fit for your company, given the type of data collection and processing, regions of operation, size of privacy team and other potential security-related frameworks in place," Del Gesso said. "If you already have a robust security program based on NIST's Cybersecurity Framework, the NIST Privacy Framework might be the best option for you. For smaller startups or companies just beginning their privacy journey, bolting on to an existing framework, like the ISACA Privacy Principles (based on Cobit 5), could be the most lightweight and seamless option. For companies with enough resources and nuanced needs, creating your own framework might be the perfect solution."
There are indeed multiple approaches. I've had clients ask for PbD assessment questionnaires based on the requirements outlined in specific legislation, whereas other clients have asked for custom frameworks based on a combination of regulator guidance and industry best practices. Pipes said Dropbox takes a "practical and Dropbox-specific approach to PbD controls ... and factor a number of framework types into our overall strategy." She adds that her framework considers a variety of standards, such as ISO 27001, ISO 27018 and the CSA GDPR Cloud Code of Conduct. "We’ve found that a tailored multi-framework approach is more immediately impactful to our PbD program and drives meaningful conversations."
Leverage existing resources
While privacy is top of mind for most companies, we're still a cost center at the end of the day, often resulting in limited budgets and finite resources. To get around this, designate existing resources as extensions of the privacy function.
"Where there is a resource shortage, privacy champions should be identified across the company to act as force multipliers of the privacy messaging with their functional areas," said Del Gesso, who noticed this works "particularly well on engineering and product teams where having the message come from within the team can be extremely powerful."
Establishing formal titles, like "Privacy Champion" or "Advocate" or "Liaison," is an effective way to garner interest among employees to volunteer for the added responsibilities, like ensuring that a PIA is initiated when their teams are making a change to an existing processing activity.
Partnering with information security and similar functions can also facilitate additional privacy coverage. To ensure PbD is built into its products, Pipes partners closely with Dropbox's product and privacy counsel, risk and compliance, security teams and the data protection officer.
Constantly remind and continuously educate
The need for PbD is perpetual. Companies continually innovate and improve their products, which often results in new or changes to existing personal information processing activities. So persistent, consistent and creative messaging is key to ensuring privacy is kept top of mind, which can be achieved through regular privacy-themed communications and events.
At Tinder, I instituted recurring invites entitled "Clean Your Desk Day," where I blocked everyone's calendar for an hour of mandated workspace and file cleansing (in compliance with the company's data retention and disposal policies, of course). Additionally, distributing "swag" was a huge part of the culture, so I set aside a budget for privacy-themed T-shirts and other giveaways for teams that proactively triggered their first PIA. Similarly, earlier this year at Dropbox, Pipes' team held a Data Privacy Day celebration that included privacy leaders from both inside and outside the company, which she says are generally well attended.
Employee training is also key to reinforcing PbD principles and educating staff on their PbD obligations. "New-hire and annual training is helpful to keep privacy top of mind for employees and to know the company is taking it seriously," added Facebook's Del Gesso. "It’s constant training and buy-in. I don’t think you’re ever done with the education process."
Demonstrate PbD's value, and improve your methodology
Illustrating the value of our work has never been easy, and metrics related to privacy often focus on data breach response outcomes and data subject access request targets. But there are ways in which we can specifically demonstrate how PbD brings value to organizations.
Del Gesso recommends "focusing on reviewing project resourcing and duration with a before-and-after perspective of similar projects," like comparing a project "conducted prior to PbD where rework was required later in the process because of a lack of privacy review, to a similar project where PbD was incorporated into the life cycle."
Here's a real-life client example: Measuring the number of customer inquiries/complaints post-implementation of a feature utilizing a just-in-time privacy notice and requisite in-app FAQ versus the number of inquiries/complaints received after a similar feature was simply rolled out without notice. In my experience, the just-in-time privacy notice resulted in a drastic reduction in inquiries regarding the feature.
While incorporating PbD controls across an entire organization can seem daunting, there are several critical steps you can take to start establishing your PbD program.
- Engage your leadership to bring the message early.
- Leverage existing tools and processes to operationalize PbD controls with ease and efficiency. "Lean on what's already in place," Pipes suggests. "Keep it simple and practical." Del Gesso agrees.
- Constantly remind employees about their PbD and broader privacy obligations, and be creative in how you continue to engage them.
"The key to instilling Privacy program concepts at an organization is to communicate, educate, and then do it all over again," Del Gesso said. "The job is never really done."
Editor's Note: These opinions belong to the author and those he interviewed and not the companies they represent.
Photo by Dayne Topkin on Unsplash
If you want to comment on this post, you need to login.