What we do
PRIVACY BY DESIGN
Build privacy into your business now instead of trying to bolt it on later.
Privacy is a competitive advantage. Build it into your business by design.
Two good reasons to embed privacy into your products and business processes now:
- Customer loyalty & trust: your customers want evidence that you are respecting their privacy.
- Compliance isn’t getting easier: tougher data protection laws are becoming the norm around the world.
See privacy as an opportunity, not an obstacle.
Privacy is a competitive advantage
Every day seems to bring news of more and stricter privacy laws. And it’s not just a UK and EU issue with the GDPR. One after another, countries across the world are enacting more restrictions on what organisations can do with personal data.
Lawmakers aren’t leading the way on privacy – they’re simply reacting to increased pressure from voters.
When customer expectations around quality, user experience, and trust are all increasingly about privacy, it’s an opportunity for businesses to take the lead.
Whether your products are for consumers or businesses, privacy sells.
Privacy by design embeds privacy into your product or service from day 1. That means less time wasted trying to tack it on later, streamlining your route to market.
Use our Product Counsel service to get your MVP to market faster with:
Does your business need general data privacy compliance advice?
Privacy by Design: Products
The objective is straightforward: develop profitable products as quickly and efficiently as possible.
Privacy and security aren’t options to be added on later. They must be baked right into your product’s design from the outset, whether you’re selling B2B or B2C.
No product – not even an MVP (minimum viable product) – is viable without them.
Privacy by design streamlines your route to market. No more building a prototype just to spin your wheels trying to tack privacy and security features on later.
Our Product Counsel service can help you get to market faster with:
- PbD for product vendors and outsourced developers (B2B and B2C)
- Plain English contracts and negotiation support
- Employee privacy awareness and training
Privacy by Design: Processes
Your internal processes are also subject to data privacy and data protection laws, including a growing number with explicit Privacy by Design requirements.
Putting aside the legal requirements, customer and employee awareness of privacy issues is only growing. They expect you to treat their personal data with care and respect.
Applying privacy by design to your business processes is employee- and customer-centric. It improves transparency and shows them respect.
The results leave everyone happier: fewer complaints, less chance of regulatory headaches.
Take a look at our FAQs.
The privacy by design framework was developed by Ann Cavoukian in the mid 1990’s and was formally published in 2009. Originally included as part of a report on privacy-enhancing technologies, the concept underpins a growing number of privacy laws.
The idea is to build privacy right into the way the product works. In the simplest of terms, it means looking at how personal data is being used in the product or service, and whether the same objective can be met with less personal data or less intrusive uses of the same data.
It also means looking at what someone could do with the personal data if they decided to reuse it for purposes aside from that product or service.
In the GDPR, Article 25 requires organisations to embed data protection (privacy and security) by design and by default.
Privacy by design means embedding privacy right into the fabric of a product, service, or business process in a proactive way. Contrast this with designing the product, releasing it, waiting to see what privacy issues arise, and then addressing those in a reactive manner.
Privacy by default means configuring a product or service so that it operates using its most privacy-respecting settings by default. For example, if you ask an app user whether they want to receive marketing emails from you, privacy by default would mean setting the default option to reject the emails. This way, the user must actively do something to begin receiving the emails, instead of receiving them by default until they say no.
Data minimisation is a key strategy of privacy by design. The concept is simple:
- use the smallest amount of personal data you possibly can to achieve each goal you have
- you must not collect it or keep personal data unless you can explain exactly why you’re doing so
- when you’ve achieved the purpose for which you were holding an item of personal data, get rid of it securely
- never collect or keep personal data just in case it becomes useful later – that’s illegal under most privacy laws, including the GDPR (EU & UK) and the various federal and provincial privacy laws in force across Canada, such as PIPEDA.
Data minimisation is one of the most effective ways for you to reduce privacy risks. Why?
Because you can’t hurt someone with personal data you don’t have. You can’t mistakenly repurpose it. Hackers can’t steal it. Disgruntled employees can’t leak it. Corrupt governments can’t manipulate it.
Data minimisation means thinking through what data you really need and then using only that data. You can still achieve your business goals while using data more efficiently. At the same time you’re reducing your company’s privacy risk level – the less personal data you have, the easier it is to protect.
A successful approach to privacy by design starts with the culture of the organisation. You need to get all the main decision-makers on-board, and put in place a robust education and awareness programme for staff.
In Ann Cavoukian’s words, originator of the privacy by design concept: “Privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organisation’s default mode of operation.”
Tip 1: Start with the principles
The seven foundational principles are a great place to start incorporating privacy by design into your organisation’s operations and culture.
- Be proactive not reactive; Be preventative not remedial.
- Use privacy as the default setting.
- Embed privacy into the initial design, don’t bolt it on later.
- Make privacy positive-sum, not zero-sum.
- Use full-lifecycle protection, end-to-end security.
- Be transparent, with users and providers alike.
- Be respectful, keep it user-centric.
Tip 2: Do a personal data audit sooner rather than later
The hardest part of any privacy project is understanding your current position on data processing and privacy compliance. Improvements only happen after you figure out what needs improving.
If your goal is to embed a culture of privacy into your organisation, a privacy audit will give you a snapshot of your current state of privacy awareness, the risks and impacts of your data processing, and level of compliance with relevant privacy regulations.
A privacy audit’s recommendations are based on your privacy goals, risk profile, available resources, and budget. Read more about our range of privacy auditing services here. [link to ‘Data Mapping & Gap Analysis’]
Tip 3: Industry frameworks (advanced privacy by design users only)
Here are some recently developed industry frameworks to help scale your programme and take it to the next level.
- ISO 31700: Consumer protection – Privacy by design for consumer goods and services
- NIST Privacy Framework version 1.0