Since the European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018, the term “Privacy by Design” (often shortened to PbD) has become more familiar outside of the privacy professional community. One reason for this is the GDPR requires the implementation of a related concept—Data Protection by Design—and has potentially very costly fines for any violations. Yet, as Tomas Sander, data protection officer at Intertrust, pointed out at the IAPP Privacy. Security. Risk. 2019 (PSR) event, there is no commonly agreed upon PbD methodology and it’s unclear what is needed to comply with the GDPR PbD requirements.
Sander and his colleague Justine Young Gottshall, a partner at InfoLawGroup, were at PSR to give a joint presentation entitled “Privacy by Design in the Real World: Practical Approaches and Lessons Learned.” The talk was an overview of what they believe to be a practical approach to PbD. Even though the presentation was near the end of the day, the room at this privacy professional oriented event was standing room only indicating the interest in this subject.
PbD is about building in the concept of privacy from the very beginning of system and software development within organizations. But while system development is a technical endeavor, privacy is also about compliance with legal requirements. This means that legal and engineering teams need to work together. Also, organizations of different sizes and types will require different approaches. As an example, Gottshall emphasized that one of the elements often missed in PbD is culture.
On the technical side, Sander said that PbD helps development teams avoid issues that can be more difficult and costly to fix later in the development process. Examples include: collecting too much personal data, storing data in a way that makes it hard to delete, and not considering consent management requirements. He also said there are relevant standards and frameworks in development that teams will find helpful, e.g. ISO/PC 31700 from the International Organization for Standards and the U.S. National Institute of Standards and Technology (NIST) Privacy Framework.
Implementation by steps
At the core of Gottshall’s and Sander’s approach to PbD are a series of steps and analyses that organizations can follow for implementation. The first step is, of course, knowing your company’s data. “This is something you have to do for both the GDPR and the CCPA (California Consumer Privacy Act),” (Gottshall). Key stakeholders in the project need to be identified—but as Gottshall said, these may be different for different projects within the same organization. Core privacy principles of the organization and data protection goals should be identified as well. “You need to understand the privacy goals you are designing for,” (Sander). Also, while it is vitally important to conduct a privacy risk assessment, Sander cautioned that there is little agreement on what exactly constitutes the privacy harms you’re trying to prevent.
To actually implement these steps, Gottshall and Sander emphasized that they have to be integrated with a company’s software engineering process, which will vary depending on the organization in question. During the integration process, it’s also important to make sure that verification steps are completed to ensure that all of the privacy requirements have been properly met. This leads to both opportunities and challenges, sometimes closely interconnected. For example, Sander said that while one of the challenges for the success of PbD lies in identifying a privacy champion in the engineering team, the integration process provides the opportunity to find that person. Also on the challenge side, modern agile software development techniques often bring about constant change with the added potential for the introduction of new privacy risks. Having a privacy champion in the engineering team can help in identifying these as they pop up.
To sum things up, Gottshall and Sander agreed that PbD is achievable by companies of all sizes and there is a return on investment in setting up a PbD program. That being said, the downside of not doing PbD needs to be emphasized as well. Gottshall compared it to a reverse lottery saying, “If you lose, you lose big.”
Justine Young Gottshall, Partner, InfoLawGroup (left) and Tomas Sander, Data Protection Officer, Intertrust (right)
