What we do
PRIVACY BY DESIGN
Build privacy into your business now instead of trying to bolt it on later.
Privacy is a competitive advantage. Build it into your business by design.
Two good reasons to embed privacy into your products and business processes now:
- Customer loyalty & trust: your customers want evidence that you are respecting their privacy.
- Compliance isn’t getting easier: tougher data protection laws are becoming the norm around the world.
See privacy as an opportunity, not an obstacle.
Privacy is a competitive advantage
Every day seems to bring news of more and stricter privacy laws. And it’s not just a UK and EU issue with the GDPR. One after another, countries across the world are enacting more restrictions on what organisations can do with personal data.
Lawmakers aren’t leading the way on privacy – they’re simply reacting to increased pressure from voters.
When customer expectations around quality, user experience, and trust are all increasingly about privacy, it’s an opportunity for businesses to take the lead.
Whether your products are for consumers or businesses, privacy sells.
Privacy by design embeds privacy into your product or service from day 1. That means less time wasted trying to tack it on later, streamlining your route to market.
Use our Product Counsel service to get your MVP to market faster with:
- PbD advice for vendors and developers (B2B and B2C)
- Draft privacy templates for your B2B customers, including data maps, RoPAs, and privacy notices
- Plain English contracts and negotiation support
- Employee privacy awareness and training sessions
Does your business need general data privacy compliance advice?
Privacy by Design: Products
The objective is straightforward: develop profitable products as quickly and efficiently as possible.
Privacy and security aren’t options to be added on later. They must be baked right into your product’s design from the outset, whether you’re selling B2B or B2C.
No product – not even an MVP (minimum viable product) – is viable without them.
Privacy by design streamlines your route to market. No more building a prototype just to spin your wheels trying to tack privacy and security features on later.
Our Product Counsel service can help you get to market faster with:
- PbD for product vendors and outsourced developers (B2B and B2C)
- Plain English contracts and negotiation support
- Employee privacy awareness and training
What we’ll do.
1. Data Mapping
Working with your product development team, we map the lifecycle of personal data used in (or to support) the product: including where it comes from, what it’s used for, who would have access to it, where it’s stored, how it’s secured, etc.
What you’ll get.
A detailed privacy-focused data lifecycle map that will highlight potential privacy risks and security gaps related to the nature and method of the processing activities.
The map is designed to be a companion piece to be read alongside such documents as information architecture maps and use-case diagrams.
2. Draft RoPA
We will produce a Record of Processing Activities (RoPA) for your product detailing the ‘who, what, when, where, why and how’ of the personal data your product processes.
A draft RoPA to help you:
- comply with Art.30 of the GDPR
- manage data subject access requests (DSARs);
- determine who (you or your customer) is acting as a controller or processor;
Advice on further analysis that’s required (such as LIA, PIA, or DPIA), for each use of data, and who is responsible for completing them.
What we’ll do.
3. Privacy Improvement Plan
Summarise the findings of the Discovery process, highlight significant privacy risks and security gaps, and provide commercially practical recommendations to mitigate these.
What you’ll get.
- privacy Risk Register
- methods for ranking those risks and prioritising actions
- options for mitigating or accepting each risk
4. Privacy Documentation Package
Draft essential data privacy documents and templates, letting you record the data protection compliance steps you’ve taken.
Draft model privacy documents to help onboard your product with B2B customers quicker.
Privacy documents, which may include:
- Privacy notices (public facing)
- Reviews and advice on your completed LIAs, PIAs, DPIAs
- Internal policies on privacy, data governance, vendor selection
- Terms of service (B2B or B2C), including data processing terms where appropriate
- Data processing agreements for external processors
What we’ll do.
Help you work through likely privacy concerns for your customer use cases.
What you’ll get.
Sales “playbook” for smoothly handling queries about data flows and privacy practices – especially handy for dealing with your customers’ privacy and legal teams.
Privacy by Design: Processes
Your internal processes are also subject to data privacy and data protection laws, including a growing number with explicit Privacy by Design requirements.
Putting aside the legal requirements, customer and employee awareness of privacy issues is only growing. They expect you to treat their personal data with care and respect.
Applying privacy by design to your business processes is employee- and customer-centric. It improves transparency and shows them respect.
The results leave everyone happier: fewer complaints, less chance of regulatory headaches.
What we’ll do.
Data Mapping & Gap Analysis
Working closely with you, we map personal data use within a function or across the whole organisation.
Data maps show how personal data is used, including where it comes from, who has access to it, where it’s stored, etc.
Gap analysis identifies compliance gaps and risks from both a privacy and data security perspective.
What you’ll get.
Detailed, privacy-focused data map.
Record of processing activities (RoPA) describing how personal data is used, where it comes from, who has access to it, where it’s stored, the lawful lawful basis for processing, etc.
Draft data protection and privacy risk register.
Gap analysis report with recommendations for improvement.
What we’ll do.
We will help you to:
- prioritise and work toward closing compliance gaps identified in the Health Check
- create internal policies to improve governance around personal data use, new apps
- develop procedures to bring those policies to life.
What you’ll get.
We’ll create a tailored package that suits your organisation, including any number of the following:
- Clear and concise privacy notices based on your data map / RoPA
- T&Cs (also called Terms of Business)
- Data retention and deletion policies
- Advice on when and how to carry out:
- Legitimate interest assessments (LIA)
- privacy impact assessments (PIA)
- data protection impact assessments (DPIA)
- Data subject access request (DSAR) policies and procedures
- Data governance and acceptable use policies (internal documents)
- Employee awareness training programmes
?
FAQ's
Take a look at our FAQs.
The privacy by design framework was developed by Ann Cavoukian in the mid 1990’s and was formally published in 2009. Originally included as part of a report on privacy-enhancing technologies, the concept underpins a growing number of privacy laws.
The idea is to build privacy right into the way the product works. In the simplest of terms, it means looking at how personal data is being used in the product or service, and whether the same objective can be met with less personal data or less intrusive uses of the same data.
It also means looking at what someone could do with the personal data if they decided to reuse it for purposes aside from that product or service.
In the GDPR, Article 25 requires organisations to embed data protection (privacy and security) by design and by default.
Privacy by design means embedding privacy right into the fabric of a product, service, or business process in a proactive way. Contrast this with designing the product, releasing it, waiting to see what privacy issues arise, and then addressing those in a reactive manner.
Privacy by default means configuring a product or service so that it operates using its most privacy-respecting settings by default. For example, if you ask an app user whether they want to receive marketing emails from you, privacy by default would mean setting the default option to reject the emails. This way, the user must actively do something to begin receiving the emails, instead of receiving them by default until they say no.
Data minimisation is a key strategy of privacy by design. The concept is simple:
- use the smallest amount of personal data you possibly can to achieve each goal you have
- you must not collect it or keep personal data unless you can explain exactly why you’re doing so
- when you’ve achieved the purpose for which you were holding an item of personal data, get rid of it securely
- never collect or keep personal data just in case it becomes useful later – that’s illegal under most privacy laws, including the GDPR (EU & UK) and the various federal and provincial privacy laws in force across Canada, such as PIPEDA.
Data minimisation is one of the most effective ways for you to reduce privacy risks. Why?
Because you can’t hurt someone with personal data you don’t have. You can’t mistakenly repurpose it. Hackers can’t steal it. Disgruntled employees can’t leak it. Corrupt governments can’t manipulate it.
Data minimisation means thinking through what data you really need and then using only that data. You can still achieve your business goals while using data more efficiently. At the same time you’re reducing your company’s privacy risk level – the less personal data you have, the easier it is to protect.
A successful approach to privacy by design starts with the culture of the organisation. You need to get all the main decision-makers on-board, and put in place a robust education and awareness programme for staff.
In Ann Cavoukian’s words, originator of the privacy by design concept: “Privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organisation’s default mode of operation.”
Tip 1: Start with the principles
The seven foundational principles are a great place to start incorporating privacy by design into your organisation’s operations and culture.
- Be proactive not reactive; Be preventative not remedial.
- Use privacy as the default setting.
- Embed privacy into the initial design, don’t bolt it on later.
- Make privacy positive-sum, not zero-sum.
- Use full-lifecycle protection, end-to-end security.
- Be transparent, with users and providers alike.
- Be respectful, keep it user-centric.
Tip 2: Do a personal data audit sooner rather than later
The hardest part of any privacy project is understanding your current position on data processing and privacy compliance. Improvements only happen after you figure out what needs improving.
If your goal is to embed a culture of privacy into your organisation, a privacy audit will give you a snapshot of your current state of privacy awareness, the risks and impacts of your data processing, and level of compliance with relevant privacy regulations.
A privacy audit’s recommendations are based on your privacy goals, risk profile, available resources, and budget. Read more about our range of privacy auditing services here. [link to ‘Data Mapping & Gap Analysis’]
Tip 3: Industry frameworks (advanced privacy by design users only)
Here are some recently developed industry frameworks to help scale your programme and take it to the next level.
- ISO 31700: Consumer protection – Privacy by design for consumer goods and services
- NIST Privacy Framework version 1.0