A chest protecting data from being hacked

February 16, 2023

How to future-proof your privacy program, part 4: Implementing privacy by design


In this series, we’re talking about how to future-proof your privacy program. On a recent IAPP webinar, TerraTrue COO Chris Handman, TerraTrue Director of Content Strategy Angelique Carson, and Uber CPO Ruby Zefo discussed how to do just that. Prefer consuming your how-to news on video? No problem. Catch the full conversation here.

For context, here are parts one and two, and three.

Privacy by design is a phrase that gets thrown around frequently. But for all its mentions, does anyone really know what that means? As we start to see U.S. state laws including provisions mandating privacy by design at an operational level, understanding the concept is crucial for companies, attorneys, and anyone else involved in privacy and compliance.

While privacy by design has been around since the 1990s, in 2009, Ontario Information and Privacy Commissioner Ann Cavoukian published her foundational work, “Privacy by design: The 7 foundational principles.” Her basic premise was and is that privacy can’t “be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation.”

Back in the day, Cavoukian defined PbD by seven principles. She said it must be preventative, default, embedded, uncompromising, end-to-end, transparent, and user-friendly.

Those are all important goals, but they’re also very abstract, expressing goals rather than processes.

Build around principles

To implement privacy by design, Handman suggests approaching your first thoughts and actions by using a principles-based approach.

“You develop an idea around the common core principles, especially as they relate to whatever field or industry your business is in,” he said. “With few exceptions, there are very few categorical rules when it comes to privacy. There's a lot of indeterminacy and gray when it comes to privacy. There's a lot of room for risk calibration, a lot of room for mediation between you and your product teams or your business teams about how you want to think about that.”

That’s why identifying your framework or frameworks is key. You and your company need to think about how to start rethinking about data, “whether it’s on a jurisdictional basis or in terms of overall practices of the way you store or collect that data. Think about the warnings you want to give or the consent you need to obtain. These are the broad brush issues.”

In the end, maybe you decide your framework is GDPR, because that’s most important to you. Maybe it’s CCPA. Maybe it’s NIST. Decide which one is going to keep you most agile so you don’t have to reinvent the wheel if the landscape shifts.

“That’s where I think in-house counsel and in-house privacy teams, in particular, earned their stripes, is that ability to see around corners; to anticipate where the laws are going to be going so that you can begin to tweak those frameworks if they need to be tweaked,” Handman said. “While the details do matter, I think the more important thing is to not lose sight of the first principles around privacy and to tether yourself to those principles.”

Ruby Zefo, Uber’s CPO, said the way she also uses a principles-based approach to future-proof her program.

“Privacy principles are important because when you have a super evolutionary environment, you can't necessarily have everybody quickly understand all the laws everywhere,” she said. “(Using principles) is helpful for (your product teams)to approach it in the right way – before they even start designing. If you just follow these principles, you're about 80% of the way there. You're already looking at things from a customer perspective and a privacy-protective perspective. So that's a start.”

Principles then enable you to build your PbD program

After you’ve identified principles and your framework established, you can start moving on your privacy-by-design program. But there’s not one way to do that. It’s going to depend on your business’s needs and the framework you’ve all agreed to work within.

Zefo said as you grow, there’s going to be more and more data flowing into your organization’s funnel. And getting a grasp on that will require tooling that can automate some of your processes.

“It's going to start out manually, then you're going to figure out maybe a commercial tool,” she said. “It’s necessary because the laws are requiring it. Even more importantly, it makes people feel safer. You need both of those things for a good user experience.”

The good news is that because laws increasingly mandate PbD, it may be an easier sell to the business.

“People understand that what might have been a nice theoretical best practice is becoming increasingly a pragmatic necessity in this day and age,” Handman said. “And now, there’s better tooling that can help empower this.

One of privacy by design’s greatest hurdles has been an organizational disconnect between the way the business operates and privacy teams have operated. Historically, privacy has been thought of as a reactive compliance function. But now, headlines and legislative changes have yielded a greater appetite for shifting privacy deeper into the product-development lifecycle and embedding privacy into the very germ of a product team’s good idea.

“That is how you can get privacy by design to become more of a reality,” Handman said.

That’s easy to say, but how do you do it?

Handman said it comes down to integrating with the business at its operating center. You’ve got to find a place you can all meet and, there, create a single-source of truth for what’s happening. That might mean privacy teams pull up JIRA tickets in Slack. But there has to be a single place where you can recapture, at any time, the work you’re doing.

When Handman was at Snap (starting in 2014, so before GDPR), there really weren’t the software solutions available today.

“We were on Google spreadsheets, and we had a great system,” he said. “But it was a little duplicative. The teams would create geo tickets and then manually fill in for every sprint all 20 or 30 different features that were going out the door. We had a review list for everyone from privacy to product to engineering to security to check off, and we’d have to say, ‘Yeah, this has been approved,’ always linking back to different word documents where the analysis was done.”

Handman’s team covered more than 5,000 privacy reviews. It was wildly manual and repetitive process And yes, they did it.

“But it got to a point where we were in a stand-up meeting and no one could open the spreadsheet because it had 100 tabs,” he said. “We quickly discovered we’d reached scale.”

With today’s technology, it’s possible to do privacy by design at scale, leverage the good work your teams are doing in repeatable, automated processes that put privacy at the start of product builds instead of tacked on at the end.

For more on this, see Ruby Zefo, Angelique Carson, and Chris Handman's full chat here.