The concept of privacy by design was first introduced by the Canadian Privacy Commissioner Ann Cavoukian as early as the 1990s. Since then, the importance of privacy by design in business has only increased.
Lately, companies of all sizes are in the news because of data privacy violations. As a result, these brands often suffer reputation damage, even if the news got it wrong.
Assuming most companies are not intentionally doing things wrong, what is happening?
The Data Privacy Landscape is Changing
A combination of governmental, media, and academic pressure is changing the way privacy is monitored by the community at large.
There are now experts that are proactively looking for violations and using the mainstream media to get their message out quickly in a way to evoke change. It is no longer the average consumer you must consider in your risk calculation.
So what is needed to achieve privacy by design? TrustArc has been helping companies to do it since 1997.
7 Principles to Incorporate Privacy by Design into Your Product Design Process
1. Proactive Approach
Consider privacy at the design stage by examining how much information you are collecting and assessing whether you are collecting more information than what’s necessary to achieve your business goals.
Incorporating data privacy at the design stage will reap benefits down the road in terms of earning the trust of your consumers, and potentially keeping your company from incurring the unexpected costs associated with not taking privacy into account.
Ringleader was a company with a promising future but didn’t take data privacy into account at the design stage. They were forced to shut down because they didn’t incorporate privacy into their, otherwise very promising, MediaStamp advertising tech.
2. Transparency
Be clear with consumers about your practices. Explain your information and collection processes in an easy to understand notice.
Most companies typically do this through a privacy policy explaining what information you collect, how it is used, and to what third parties information is disclosed.
The privacy policy should be easy to find. Make it accessible where information is requested such as on an order form. And it should be formatted so it’s easy to read on any device.
For example, if the consumer is accessing your policy through a mobile app, the policy should be optimized for viewing through a mobile device.
3. Control
Provide consumers mechanisms to express their preferences about how their information is used, and how to access that information to correct, updated, and/or delete it.
Examples of some of the types of controls you can provide to consumers:
- If you collect behavioral data to provide targeted advertising, you should give consumers an easy and effective way to express their preference to recieve targeted ads.
- If you collect personally-identifiable information, your company should provide a way a user to correct his/her profile or remove it.
- If you distribute software, consumers should have consented to install the software and then uninstall it completely from their systems.
4. Accountability
There are two types of accountability. Accountability to your consumers, as well as accountability within your organization.
Posting a privacy policy outlining your privacy practices and giving consumers a mechanism to voice privacy-related concerns are a couple of ways your company can hold itself accountable to consumers.
Put in place mechanisms that verifies whether your company is complying with its data controls and policies.
Another layer if accountability is having an independent third party review and verify that your actual data privacy practices are consistent and comply with stated practices.
A third party seal is a good outward indicator that communicates your company’s commitment to privacy and that your company is willing to hold itself accountable to its privacy promises.
5. Data Management
Make sure you have the processes in place to not only mange the data you collect but also to comply with your stated privacy promises.
Consider:
- Employee training: such as customer service representatives, who access collected information in order to perform their job function
- Data Retention Policies: how long you need to retain the information you collect.
- Processes should be in place to periodically purge out-of-date or inactive customer records
- Security Measures: what measures are in place to protect collected information.
- Consider things such as how you will protect systems from vulnerabilities, whether information needs to be stored in an encrypted format, and who requires access based upon job function.
Processes should be appropriate for size of your business and the level of sensitivity of the information you collect and store on your systems.
If you collect and store sensitive information like credit card numbers, you will need to take more stringent measures to protect that information than a company that collects only email addresses.
6. Partner and Vendor Risk Management
Know who you work with. Have a vendor risk management process for reviewing potential partners and vendors your company uses to provide services such as hosting, payment processing, email management, and advertising.
These companies should have policies in place that are similar to yours to ensure the information you entrust to them is processed in a responsible manner.
Ultimately your company is responsible for the information it collects, and this includes third parties that are processing information on your company’s behalf.
Develop criteria and have processes in place to review potential partners and vendors looking at how they process and protect the information that will be provided to these companies.
7. Respect for Users
Your consumers are the reason why you have a business.
They trust you will process their information for the purposes you stated in your privacy policy and do that in a responsible manner. Trust is built over time but can be lost in an instant.
Your consumers might forgive you for one mistake but won’t be so forgiving them next time around.
One way to make sure you retain that trust is that you start to earn it from the outset – when you are designing your product or service.
Privacy by Design is a Bigger Challenge than it Appears
Largely this is because your company should think about it and invest into it in advance, before it finds itself in a Wall Street Journal article or in under investigation by a government regulator.
Companies should, at minimum, create a privacy policy that accurately describes privacy practices, effective consumer control mechanisms to allow consumers exercise their preferences about their data, and processes to manage and protect the information collected.
Furthermore, you should work only with trusted partners who do all the above.
