Institutionalizing Privacy by Design

Institutionalizing Privacy by Design

While many boardrooms and information stakeholders are understandably focused on trying to prevent – or, sadly, clean up after – a data breach, while also meeting the compliance requirements of the impending the EU’s General Data Protection Regulation (GDPR), I think they may be missing a broader and deeper strategy that could help them accomplish both goals and lower other risks as well.

Created a couple of decades ago, Privacy by Design is a set of best practices to help application developers keep private customer and employee information secure. While the focus at the time was limited to how engineers protected data, consider how the following approaches could help organizations create a “culture of privacy” where protecting sensitive and personal information is explicit or implicit in everything we do:

  • Be proactive, not reactive, in order to anticipate and identify the root causes of privacy issues and remediate them at the source.
  • Make privacy the default setting, so users don’t have to do anything to increase their privacy. If appropriate, they can decrease their level of protection, but the default setting is maximum privacy.
  • Embed privacy into all IT systems and business practices.
  • Balance conflicting needs without sacrificing privacy – create a positive-sum, not a zero-sum dynamic.
  • Consider privacy issues at every step throughout the entire application lifecycle.
  • Ensure visibility and transparency for both providers and users regarding how data is managed and shared.
  • Always put the interest of those who need their privacy protected first.

What if we tweaked these best practices – some don’t need to be tweaked at all – and incorporated them into our corporate mission statements, training programs, and the day-to-day activities of every department? 

You might also enjoy: