Instruction on how to set up privacy design.

March 7, 2023

How to (actually) do privacy by design: Part 2


Tactical steps to operationalize your privacy posture

Privacy by design is a phrase that gets thrown around frequently. But for all its mentions, does anyone really know what that means? As we start to see U.S. state laws including provisions mandating privacy by design at an operational level, understanding the slippery concept is crucial for companies, attorneys, and anyone else involved in privacy and compliance.

In this series on how to actually do privacy by design, Chris Handman, TerraTrue COO, Anthony Prestia, head of privacy at TerraTrue, and Jason Cronk, president of the Institute of Operational Privacy by Design, drop some knowledge on how they implemented privacy in the wild, under pressure, and what you – the privacy professional – should be thinking about in your own approach and build.

In part 1 of our series, we discussed what PbD looks like, and why businesses struggle to implement it. In this blog post, learn how to actually implement privacy by design at an operational level.

Find stakeholders and make them champions

Privacy by design implementation will depend on your ability to win the hearts and minds of privacy champions, and well as to identify the stakeholders you’ll need to win over as well.

“You're usually going to want some sort of executive champion that can help drive this and make the business understand how important privacy is and why it's important to your company,” said TerraTrue Head of Privacy Anthony Prestia.

In addition to finding an ally in the C-suite, Prestia recommends recruiting champions in product, marketing, and sales.

“They're going to be the key piece to just driving adoption of your program,” he said. “You can have the best frameworks and understanding of privacy in the world, but if you have no one to help drive adoption, your program is not going to go anywhere.”

Finding allies in security is also helpful because they share so many priorities with the privacy team. Using regular check-ins, the privacy and security teams can minimize the impact on your business by information-sharing and working together.

How to sell privacy to stakeholders

Businesses are more likely to make privacy by design a priority if they understand how it can help drive profit. The good news is there are examples of that in the wild already.

“We’re seeing privacy as a competitive advantage,” Prestia said. “And not just in consumer brands advertising it; it's also in the B2B space. If you're providing a service and you don't have good privacy and security practices, you’re likely to lose deals because nobody wants to take on that third party risk.

Selling privacy to execs

When selling privacy to execs, TerraTrue COO Chris Handman recommends building your case on pragmatism: Focus on a cost-benefit analysis.

“Executives are going to be exercising pragmatism about everything they do. Demonstrate that this isn’t some sort of bureaucratic-box checking exercise, but is something that actually is going to make the product better.

Show that it's not going to feel like a drag on business, but is actually going to be a native extension of the way products get developed in a way that's friendly, and works nicely with the tooling you're doing.

Product and sales

Prestia told us that product and sales executives are going to be receptive to different privacy by design pitches.

“Product folks are going to want to understand how privacy impacts the end user experience or how it may negatively affect their ability to shift on time. Sales folks want to know, does this create a competitive advantage? Is it going to be harder to reach out to folks in our CRM tool? those sorts of things. Let them know how it impacts them and why and what the advantages are.”

Learn how the business develops products and services

“Privacy by design only works if you're actually embedded in the design process. And you can't do that if you don't understand how your business designs products and services,” says Prestia.

Part of your due diligence in building your PbD program is understanding the steps the business takes from a product’s ideation to its launch. Who are the main stakeholders in each phase? Are there any kind of gatekeepers that determine what's built or shipped? And what are the critical tools you’re using to track this work? Answer those questions before you develop your program to be sure you’re building a program that maps to your business’s process.

Align with leadership

To get where you need to go with your privacy program, you’ve got to establish some common ground with leadership on your company’s values and risk tolerance. Privacy teams should identify areas where the laws aren’t clear and discuss which risks the company is willing to take. And you should also come to agreement on, or perhaps establish in the first place, your company’s privacy philosophy, and take into consideration industry norms.

Ask the business, “Are there certain types of data activities we're just unwilling to do?” You might have conversations about data uses that might be legal, but aren’t the right thing for your business or its customers.

Prestia also recommends you research what the competitors in your space are doing.

“Say, ‘Hey, where do we want to line up along with them?’ Understand these principles, write them down, and communicate them to the relevant teams,” he said.

Analyze how you already represent your privacy practices

Even if you’re just getting started, by law, your organization is already representing its privacy practices to the public. Looking at your external messaging can help you gauge where your privacy program is at now and determine what to focus on, Prestia said.

“Look at your privacy notices. Look at marketing materials, and talk about how things your business builds actually work,” Prestia said. “Because that's going to help you identify what work has been done in the past and areas where you maybe have some unexpected liability. Once you've done that, you really get into the nuts and bolts of building the program.”

Plug-in to the business

Once you’ve done your due diligence on the product deployment lifecycle and understand how it works from start to finish, you’ve got to figure out how to integrate yourself into that process.

You should establish:

  • Where you’re going to fit in.
  • The choke points you can foresee already.
  • The allies you need on your side for assessments.

Once you’ve done that, Prestia said, you should create easy paths for cross-functional feedback and collaboration.

Roll it out slowly

When you’re envisioning and blueprinting your PbD program, it’s best to start small. Keep the on the end goal: improving privacy in your products without slowing down deployment.

It wouldn’t make sense to launch your first attempt at a PbD process companywide and all at once. It’s generally a good idea to do a test run of program’s protocols for it to work, and then slowly roll it out to the broader business.

Prestige said to strategically choose teams that, once aligned on PbD, can provide you with the most value in the end.

“Maybe even identify a single team to test out your process and then grow it over time,” he said/ Choosing a team doing the riskiest work from a regulatory perspective – one that’s working on product lines collecting and storing location or health data, for example – might be the right test group.

In part 3, we’ll explain how to set goalposts, discuss the future of privacy, and share some big picture takeaways.