People having better ideas around privacy

November 1, 2021

How privacy-by-design can help — even when you can’t comply perfectly


No one is happy with the state of data privacy compliance — not regulators, not politicians, not consumers, and certainly not businesses. The recent fall of Privacy Shield has businesses on both sides of the Atlantic struggling to understand their compliance risks and obligations, with no sign of a data deal in sight.

And that’s just the tip of the iceberg.

As regulators around the world continue to tighten privacy and security requirements, things are only going to get tougher for businesses, with more regulations, jurisdictional boundaries and legal uncertainties to deal with.

In this environment, a patchwork approach to compliance simply isn’t practical. The only way to reduce your risk is to build robust security and privacy into your product and business practices.

Privacy by design is a set of principles to help you do that. By emphasizing data protection, transparency and consumer rights without sacrificing usability, it helps businesses minimize risk — even when they can’t be fully compliant.

Privacy-by-design basics

The privacy by design framework was created in the nineties by Ontario Information and Privacy Commissioner, Ann Cavoukian. The basic idea is simple: businesses need to build privacy and security into the way they operate, rather than waiting for regulations to tell them what to do.

By building secure IT systems, business practices, and networks, you can reduce the risks of breaches, and get closer to data privacy compliance, even when the final rules haven’t been hammered out.

How does privacy-by-design help compliance?

Regulators want to see that your business keeps sensitive data safe, and protects the privacy of your customers, patients, and business partners.

Compliance regimes like GDPR usually leave most of the implementation up to you; if you can show your company is secure, transparent, and quick to respond to threats, you’re less likely to be the target of a serious enforcement action or other legal challenge — and regulators are less likely to penalize you harshly if you are.

Building in the Spirit of the Law

Privacy by design principles can guide you to build your system around the same basic security and privacy goals regulators want you to meet, even if you’re not fully compliant. To do this, your privacy practices need to be:

  1. Preventative: Anticipating and preventing threats to privacy before they can happen.
  2. Default: Users don’t need to crawl through menus to protect their data; their privacy is protected by default.
  3. Embedded: Privacy is built into the system from day one, not added to it as an afterthought. 
  4. Uncompromising: Users shouldn’t have to choose between functionality and safety, or between security and privacy. 
  5. End-to-end: You should protect sensitive data privacy at every step of its journey, not just in storage, or at the endpoint. 
  6. Transparent: Be clear about what rights your users have, and what you’re doing to protect those rights. Use third-party verification whenever possible. Don’t just make promises; prove that you’ve kept those promises. 
  7. User-friendly: Your goal is to serve your users. Give them the information to understand their rights and your data practices, backed up by tools that empower them. 

While privacy by design might not cover everything a particular regulation requires, its principles can be a strong foundation for compliance.

Privacy by design mitigates regulatory risk

Everything you do in business poses a certain amount of compliance risk. Hacks, data breaches, consumer complaints, shifting regulations and priorities, and plain bad luck can put anyone on the receiving end of a compliance action.

Privacy by design protects you by demonstrating your company’s commitment to protecting consumer privacy. Should you ever come face to face with a regulatory issue, you’ll be able to prove that you put real thought into how you handled consumer data. That greatly decreases your risk of a costly compliance action, even if something does go wrong.

Reduce your data risks with TerraTrue’s automation.

How does TerraTrue empower privacy-by-design?

For privacy by design to work, it needs to be part of your development lifecycle. That’s easier said than done. When your developers are rushing a new feature to market, they aren’t focusing on spotting potential compliance conflicts — they probably don’t even know what to look for. And your legal team is probably somewhat disconnected from the product workflow.

That disconnect between product and legal puts you at risk. Data compliance regimes like GDPR place strict limits on what data you can gather, how you can use it, and what rights your customers have — along with big penalties if you violate those limits.

Bridging the gap between legal and product teams

TerraTrue integrates flawlessly into your development process, letting your team know what needs to be reviewed as you plan and build. It analyzes the types of data you’re collecting, how you’re using and sharing them, and what jurisdictions and laws they fall under. And when you add a new feature or data practice to your product that might pose a risk, it lets you know.

It also guides you through review processes and assessments, enabling you to do your due diligence without costly delays. This empowers you to incorporate good privacy and compliance practices into your product while you’re building it, so you can fix data issues early — before they become liabilities.

Monitoring data practices

TerraTrue also provides a complete view of data flow throughout your organization through Privacy Central. It shows what you’re storing, who has access to it, and how much risk it poses. This helps you spot and mitigate risks and vulnerabilities before they become disasters. It also enables you to respond quickly to breaches, regulatory requests and audits, so you can truly prepare for the worst while planning for the best.

Contact us to request a demo, and see firsthand how TerraTrue reduces regulatory risk — even when you can’t be 100% compliant.