Instruction on how to set up privacy design.

March 7, 2023

How to (actually) do privacy by design: Part 3


On why PbD is the future

Privacy by design is a phrase that gets thrown around frequently. But for all its mentions, does anyone really know what that means? As we start to see U.S. state laws including provisions mandating privacy by design at an operational level, understanding the slippery concept is crucial for companies, attorneys, and anyone else involved in privacy and compliance.

In this series on how to actually do privacy by design, Chris Handman, TerraTrue COO, Anthony Prestia, head of privacy at TerraTrue, and Jason Cronk, president of the Institute of Operational Privacy by Design, drop some knowledge on how they implemented privacy in the wild, under pressure, and what you – the privacy professional – should be thinking about in your own approach and build.

In part two of our three-part series, we discussed how to get started with your privacy implementation. In this final installment, let’s talk about key takeaways, tips for privacy goal setting, and why PbD is the future of data privacy.

‘It’s not a race’

We all know that working in data privacy can feel like you’re drinking from the fire hose most of the time. And while it’s true that there are always more regulations to consider, enforcement actions (against “those guys,” not you, of course) to read, and ROPAs to complete, PbD is a marathon and not a sprint.

“Realize it's not a race,” said TerraTrue Head of Privacy Anthony Prestia. “You can start with a single team and iterate on your process. Focus on those parts of your business that are the highest risk or the most critical to your bottom line.”

Jason Cronk, president of the Institute of Operational Privacy by Design, stressed the importance of carefully choosing your early privacy goals. If you focus on the right areas, you can accumulate early successes, and that allows you to demonstrate the value of privacy by design to your organization.

“Choose an easy path rather than a hard path, because if you go the hard route first, you may fail, and that's going to be more challenging to get privacy by design to the rest of the organization,” he said. Find the product or service that is most receptive (to you). If you can succeed there, you can leverage that success and showcase that success to the rest of the organization.”

Set these long and short-term goals

Prestia said that your first goal should be to gain buy-in from your organization through the discovery process. By interviewing and getting to know the key stakeholders, you can identify champions “in a matter of weeks.”

Over the next quarter, you should should focus on identifying “what a privacy by design process looks like for us,” Prestia advised. To do this, look at the plans and product specs your teams are drafting, and find ways to extract the information you need about those designs.

You should have, by now, already had a talk with your executive team to establish your risk tolerance posture and agree on your data privacy priorities. Do the data practices there align with those lines in the sand?

Then choose a team to start working with on your PbD program, and focus on just that team in the beginning.

“If you can hammer at that with one team in a quarter, you're doing great,” Prestia said. And then six and nine months from now, start expanding it to broader and broader teams.

Once you’ve got a few quarters of privacy by design under your belt, you can use that experience to assess the effectiveness of your privacy program so far, by asking the right questions.

Prestia recommends reflecting on:

  • What's working here?
  • What's not working here?
  • What metrics do we have?
  • Are people liking this process or do they hate it?
  • Is it actually slowing down our ability to ship or not?

Why privacy by design is the future of data privacy

Chris Handman, TerraTrue’s co-founder and COO, said the writing is on the wall: The regulatory landscape is likely to continue driving companies to adopt privacy by design. New laws and regulations increasingly mandate PbD, and trend will continue. Handman predicts the next generation of privacy laws handed down to be as impact on privacy as Sarbanes-Oxley was on the financial industry’s recording keeping and reporting.

“I think there's an analogy to the way SOX compliance fundamentally upended the way companies had to deal financially,” he said. “You couldn’t wait until the end of the quarter and try to gather all this information anymore. You had to have a process throughout the business that would capture the information as you went.”

However, compliance isn’t the only force driving privacy by design. As Handman points out, the commercial advantages of better consumer privacy are already spurring adoption from the inside.

“I think competitive pressures are going to force companies — as we see already in the marketplace — to adopt some measure of trying to understand, before products go out the door and start ingesting data: What are the risks, what are the contours of what we're trying to do, and how can we capture that honestly?’ At the end of the day, put aside fancy labels like privacy design. What you're really just trying to do is be proactive about understanding what your business is doing before you start ingesting that data.”