News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | How to operationalize privacy by design Related reading: A view from DC: Will Maryland end the era of notice and choice?

rss_feed

Privacy professionals generally understand, at least conceptually, what it means to implement privacy by design. If further guidance is needed, we can look to the NIST Privacy Framework or ISO 27701. If we want to better anticipate regulator expectations around PbD, we can refer to the European Data Protection Board Data Protection by Design and by Default Guidelines or U.K. Information Commissioner's Office guidance, among other resources. We can even go back to the original seven foundational PbD principles pioneered by Ann Cavoukian if we need a refresher on core PbD concepts. And if you search for "privacy by design implementation," you'll encounter a deluge of material from consulting firms and privacy tool vendors that tell you to "bake in" privacy controls or that provide high-level commentary on the EU General Data Protection Regulation's Article 25 (if you provide your email address, of course).

But where do you actually begin? While it may be obvious that privacy controls should be embedded into new products, features and processes that collect and use personal information, how do you get your product team to even consider such controls? How do you effectively evangelize the importance of PbD across the entire organization in a way that resonates across functions? And then how do you make your PbD processes self-sustaining? In other words, before you bake privacy controls into your products, how do you "bake" privacy into the organization?

As a concept that businesses subject to the GDPR are now legally obligated to implement via "appropriate technical and organizational measures," it might be fitting to share a few pragmatic tips on operationalizing PbD from a governance perspective on the regulation’s two-year anniversary, which was May 25. Overall, this article aims to provide privacy professionals with examples of how PbD programs have been practically executed in organizations of varying cultures, resources, technology and products.

This guidance is based on the experiences of myself, with additional insight from Dropbox Director of Privacy Sarah Pipes, CIPP/US, CIPT, FIP, and Facebook Global Security Compliance and Privacy Head Kathy Del Gesso.

Obtain C-level support

To make a significant change to company culture, you need executive-level support. This is truly non-negotiable. C-level messaging is even more crucial if you are building a privacy program from scratch. "With most initiatives, the importance of executive-level buy-in and support cannot be overstated," Facebook's Del Gesso said.

While getting executive-level buy-in seems straightforward, it’s not always easy. Depending on the organization and your place in the hierarchy, you may need to work your way up to the executive team. Fortunately, during my first few days of building Tinder's privacy program, I was able to get on the CEO's calendar to pitch the importance of PbD (20 minutes to be exact). On the same day, he sent out a companywide communication in support of my cause, and within 24 hours, I had an inbox full of meeting requests from every business unit vice president and an invite to present at the next all-hands. "Privacy and related PbD and essential topics should be reiterated from the top down," Del Gesso added. "It starts with leadership setting the tone to highlight the company commitment."

Make sure people know who you are and why you exist

While a C-level communication will get people to listen, you’ll want to get an audience to reinforce your mission and allow companies to put a face to the name. Del Gesso agreed and suggested the importance of PbD "can be amplified with a combination of CEO communications and all-hands meetings." Company all-hands and town halls provide a rare opportunity where you have everyone's attention. It’s through an all-hands that I introduced Tinder employees to the company's broader GDPR strategy, which included a walkthrough of the importance of PbD and when and how to trigger a data protection impact assessment. Knowing that every business group would be represented, I made sure my presentation included examples of privacy controls that were relevant to each specific function.

Get invited to the right meetings

After people know who you are and your mandate, it should be easier to embed yourself into day-to-day operations. But note that the various teams with whom you are working often won't know off the bat that you should be invited to their daily syncs, weekly standups or quarterly touchpoints. Make it a point to ask business unit directors and vice presidents where new features are discussed, problems solved and decisions made. "[I]dentifying the ideal interaction points/hooks into functional teams’ processes is the first step to ensuring PbD elements and other requirements are implemented," Del Gesso said.

Be aware that identifying where you fit in might be an exercise in trial and error. At Tinder, I found that it made sense to attend weekly product and engineering syncs to see what was coming down the pipe, reinforce PbD messaging and to get progress updates from the various teams, but it became redundant for me to sit in on daily scrums. Del Gesso recommends "facilitating focused discussions with product managers, technical program managers, or whoever the critical stakeholders are to learn what will be the least disruptive to the business and gain buy-in."

And make sure to identify your counterparts in other compliance groups who are likely attending the same meetings you should be. "Leverage your partner team like privacy/product counsel, security and compliance. They are knowledgeable and often have similar goals," Dropbox's Pipes said.

Leverage existing company tools and resources to automate PbD

To truly "integrate privacy" into a company's day-to-day operations, it’s crucial to use the same language, tools and processes used by your internal customers (e.g., Product, Engineering, and Marketing teams). This is especially important in tech, where the SDLC is an efficient machine. Dropbox is no exception, Pipes said.

"When working with other teams, we use the tools that those teams already leverage, from our product launch catalog to workflow management tools," she said. Similarly, at Tinder, I was introduced to a well-known ticket management and document collaboration tool, which I learned to master in a few weeks and that I leveraged to facilitate (and eventually automate) the PbD review process within engineering teams. I also worked with a security engineer to set up a process that automated notifications to the privacy team inbox every time a new S3 bucket had been created and that also notified the "bucket owner" that a privacy review was required (i.e., if the resource stored personal information. 

In addition, I showed one of my clients how to implement a useful app integration in Slack, his company's messaging platform (and the only way his engineering team communicated), which provided him the ability to trigger his chosen privacy vendor's privacy impact assessment process through a simple chat command. Mastering and integrating with existing company resources and tools familiar to the teams with whom you work is essential.

Learn as much as you can about the product

In addition to learning how to best collaborate with your teams, it's important to demonstrate that you understand the product beyond a compliance perspective. "Our Privacy team puts a lot of effort into learning what we can about the product, feature or other change at hand before meeting with our business partners," said Pipes, adding that this includes studying documentation and any prior assessments. "We find an immediate return on the time invested since we become both better partners and better educated overall."

For me, at Tinder, this was also true. I found that coming to meetings with a thorough understanding of the feature being deployed, vendor being considered or technology being developed demonstrated to stakeholders that I was invested in the product as a whole and not just conducting an exercise in compliance. "Coming to the meeting already educated reduces the burden on your business partners and increases your odds of a fruitful partnership," Pipes added.

Assess against the appropriate framework

In addition to identifying the venues through which PbD reviews can be most efficiently triggered, what's equally as important is establishing an appropriate framework against which you'll assess these new features, products and processes. And the right framework really depends on the specifics of your organization.

"The key again is finding the right-sized fit for your company, given the type of data collection and processing, regions of operation, size of privacy team and other potential security-related frameworks in place," Del Gesso said. "If you already have a robust security program based on NIST's Cybersecurity Framework, the NIST Privacy Framework might be the best option for you. For smaller startups or companies just beginning their privacy journey, bolting on to an existing framework, like the ISACA Privacy Principles (based on Cobit 5), could be the most lightweight and seamless option. For companies with enough resources and nuanced needs, creating your own framework might be the perfect solution."

There are indeed multiple approaches. I've had clients ask for PbD assessment questionnaires based on the requirements outlined in specific legislation, whereas other clients have asked for custom frameworks based on a combination of regulator guidance and industry best practices. Pipes said Dropbox takes a "practical and Dropbox-specific approach to PbD controls ... and factor a number of framework types into our overall strategy." She adds that her framework considers a variety of standards, such as ISO 27001, ISO 27018 and the CSA GDPR Cloud Code of Conduct. "We’ve found that a tailored multi-framework approach is more immediately impactful to our PbD program and drives meaningful conversations."

Ensuring the PbD framework complies with applicable regulations and various legal commitments (e.g., terms of service, privacy policy, vendor contract template) is something we all agree on. "The key is to know your business and ensure the right privacy regulations are accounted for within the framework you choose," Del Gesso said.

Leverage existing resources

While privacy is top of mind for most companies, we're still a cost center at the end of the day, often resulting in limited budgets and finite resources. To get around this, designate existing resources as extensions of the privacy function.

"Where there is a resource shortage, privacy champions should be identified across the company to act as force multipliers of the privacy messaging with their functional areas," said Del Gesso, who noticed this works "particularly well on engineering and product teams where having the message come from within the team can be extremely powerful." 

Establishing formal titles, like "Privacy Champion" or "Advocate" or "Liaison," is an effective way to garner interest among employees to volunteer for the added responsibilities, like ensuring that a PIA is initiated when their teams are making a change to an existing processing activity.

Partnering with information security and similar functions can also facilitate additional privacy coverage. To ensure PbD is built into its products, Pipes partners closely with Dropbox's product and privacy counsel, risk and compliance, security teams and the data protection officer. 

Constantly remind and continuously educate 

The need for PbD is perpetual. Companies continually innovate and improve their products, which often results in new or changes to existing personal information processing activities. So persistent, consistent and creative messaging is key to ensuring privacy is kept top of mind, which can be achieved through regular privacy-themed communications and events.

At Tinder, I instituted recurring invites entitled "Clean Your Desk Day," where I blocked everyone's calendar for an hour of mandated workspace and file cleansing (in compliance with the company's data retention and disposal policies, of course). Additionally, distributing "swag" was a huge part of the culture, so I set aside a budget for privacy-themed T-shirts and other giveaways for teams that proactively triggered their first PIA. Similarly, earlier this year at Dropbox, Pipes' team held a Data Privacy Day celebration that included privacy leaders from both inside and outside the company, which she says are generally well attended. 

Employee training is also key to reinforcing PbD principles and educating staff on their PbD obligations. "New-hire and annual training is helpful to keep privacy top of mind for employees and to know the company is taking it seriously," added Facebook's Del Gesso. "It’s constant training and buy-in. I don’t think you’re ever done with the education process."

Demonstrate PbD's value, and improve your methodology

Illustrating the value of our work has never been easy, and metrics related to privacy often focus on data breach response outcomes and data subject access request targets. But there are ways in which we can specifically demonstrate how PbD brings value to organizations.

Del Gesso recommends "focusing on reviewing project resourcing and duration with a before-and-after perspective of similar projects," like comparing a project "conducted prior to PbD where rework was required later in the process because of a lack of privacy review, to a similar project where PbD was incorporated into the life cycle." 

Here's a real-life client example: Measuring the number of customer inquiries/complaints post-implementation of a feature utilizing a just-in-time privacy notice and requisite in-app FAQ versus the number of inquiries/complaints received after a similar feature was simply rolled out without notice. In my experience, the just-in-time privacy notice resulted in a drastic reduction in inquiries regarding the feature.

And so

While incorporating PbD controls across an entire organization can seem daunting, there are several critical steps you can take to start establishing your PbD program.

  • Engage your leadership to bring the message early.
  • Leverage existing tools and processes to operationalize PbD controls with ease and efficiency. "Lean on what's already in place," Pipes suggests. "Keep it simple and practical." Del Gesso agrees.
  • Constantly remind employees about their PbD and broader privacy obligations, and be creative in how you continue to engage them. 

"The key to instilling Privacy program concepts at an organization is to communicate, educate, and then do it all over again," Del Gesso said. "The job is never really done."

Editor's Note: These opinions belong to the author and those he interviewed and not the companies they represent. 

Photo by Dayne Topkin on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Author
Headshot Ron De Jesus, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT, FIP IAPP Member Contributor
Tags
Privacy Operations Management
9 Comments

If you want to comment on this post, you need to login.

  • comment Julie Ford • May 27, 2020 
    This is an excellent, practical, summary. Thank you for sharing!
  • comment Ron De Jesus • May 28, 2020 
    Thanks, Julie! Glad you enjoyed.  The goal was to keep the tips as practical and achievable as possible.
  • comment Carlton Alouidor • Jun 2, 2020 
    A quick guide or a refresher for some that is concise and practical. Thanks for sharing Ron.
  • comment Petra Smith • Jun 5, 2020 
    Thanks, confirms our approach and provides some additional tips.
  • comment Peter Bodunrin • Jun 12, 2020 
    Excellent article. I would like to see the intersection of Privacy by Design and Security by Design being implemented by all. I think you need both in today's world.
  • comment Patrick James • Jun 16, 2020 
    Thank you for sharing very helpful PbD insight!
  • comment Abeer Qannitah • Jun 17, 2020 
    Excellent write. I second Peter Bodunrin, I would love to see the intersection of Privacy by Design and Security by Design. 

Many Thanks!
  • comment Ron De Jesus • Jul 6, 2020 
    @Peter and Abeer - the same principles and methodology can be applied to SbD, i.e., where the CISO would be engaging the executive team, integrating security specific controls/gates in existing SDLC processes, etc. Ideally the CISO and CPO would work together on operationalizing both PbD and SbD where it makes sense (i.e., the intersection of the Privacy and Security Venn diagram - essentially, any infosec controls and processes that protect personal data specifically).
  • comment Tom Pendergast • Sep 16, 2020 
    This goes on my short list of best things to read about PbD. I love how practical your advice is, and how well supported with actual examples. Really great business writing.
Related Stories
FISA Section 702's Reauthorization Era
For the past several months, news of the reauthorization of and potential amendments to Section 702 of the U.S. Foreign Intelligence Surveillance Act has had policy and privacy professioals on their toes. FISA Section 702, which authorizes limited warrantless surveillance of certain communications, ...
Read More queue Save This
ANPD unveils efforts to streamline DSAR process
Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, and the Ministry of Management and Innovation in Public Services Management and Innovation Secretariat presented a process for streamlining data subject access requests. The improvements include simplifying complaint f...
Read More queue Save This
Related Stories
Tags
Privacy Operations Management
Recent Comments