What we do

PRIVACY BY DESIGN

Build privacy into your business now instead of trying to bolt it on later.

Privacy is a legal requirement under the world’s ever-tightening privacy laws.

Privacy is also a competitive advantage:

  • more of your customers are demanding privacy
  • your competitors probably aren’t providing it
Privacy is a core feature of any new product

The central goal in any product development project is to develop profitable products as quickly and cheaply as possible. 

A key ‘lean startup’ technique is the minimum viable product (MVP). You can learn a lot quickly about what your customers will buy and what features they value by developing and selling MVPs.

What makes a product minimally viable? That varies from one situation to the next.

At the very least, an MVP must be legal to sell. Your idea might be ingenious, but if the product is illegal then it isn’t viable. If it doesn’t include privacy, there’s no point in building it.

Privacy is a competitive advantage

Every day seems to bring news of more and stricter privacy laws. And it’s not just a UK and EU issue with the GDPR. One after another, countries across the world are enacting more restrictions on what organisations can do with personal data.

Lawmakers aren’t leading the way on privacy – they’re simply reacting to increased pressure from voters.

When customer expectations around quality, user experience, and trust are all increasingly about privacy, it’s an opportunity for businesses to take the lead.

Whether your products are for consumers or businesses, privacy sells.

Privacy by design embeds privacy into your product or service from day 1. That means less time wasted trying to tack it on later, streamlining your route to market.

Use our Product Counsel service to get your MVP to market faster with:

?

FAQ's

Got a question about business law?
Take a look at our
FAQs.

The privacy by design framework was developed by Ann Cavoukian in the mid 1990’s and was formally published in 2009. Originally included as part of a report on privacy-enhancing technologies, the concept underpins a growing number of privacy laws.

The idea is to build privacy right into the way the product works. In the simplest of terms, it means looking at how personal data is being used in the product or service, and whether the same objective can be met with less personal data or less intrusive uses of the same data. 

It also means looking at what someone could do with the personal data if they decided to reuse it for purposes aside from that product or service.

In the GDPR, Article 25 requires organisations to embed data protection (privacy and security) by design and by default.

Privacy by design means embedding privacy right into the fabric of a product, service, or business process in a proactive way. Contrast this with designing the product, releasing it, waiting to see what privacy issues arise, and then addressing those in a reactive manner.

Privacy by default means configuring a product or service so that it operates using its most privacy-respecting settings by default. For example, if you ask an app user whether they want to receive marketing emails from you, privacy by default would mean setting the default option to reject the emails. This way, the user must actively do something to begin receiving the emails, instead of receiving them by default until they say no.

Data minimisation is a key strategy of privacy by design. The concept is simple: 

  • use the smallest amount of personal data you possibly can to achieve each goal you have
  • you must not collect it or keep personal data unless you can explain exactly why you’re doing so
  • when you’ve achieved the purpose for which you were holding an item of personal data, get rid of it securely
  • never collect or keep personal data just in case it becomes useful later – that’s illegal under most privacy laws, including the GDPR (EU & UK) and the various federal and provincial privacy laws in force across Canada, such as PIPEDA.

Data minimisation is one of the most effective ways for you to reduce privacy risks. Why?

 

Because you can’t hurt someone with personal data you don’t have. You can’t mistakenly repurpose it. Hackers can’t steal it. Disgruntled employees can’t leak it. Corrupt governments can’t manipulate it.

 

Data minimisation means thinking through what data you really need and then using only that data. You can still achieve your business goals while using data more efficiently. At the same time you’re reducing your company’s privacy risk level – the less personal data you have, the easier it is to protect.

A successful approach to privacy by design starts with the culture of the organisation. You need to get all the main decision-makers on-board, and put in place a robust education and awareness programme for staff.

In Ann Cavoukian’s words, originator of the privacy by design concept: “Privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organisation’s default mode of operation.”

Tip 1: Start with the principles

The seven foundational principles are a great place to start incorporating privacy by design into your organisation’s operations and culture.

  1. Be proactive not reactive; Be preventative not remedial.
  2. Use privacy as the default setting.
  3. Embed privacy into the initial design, don’t bolt it on later.
  4. Make privacy positive-sum, not zero-sum.
  5. Use full-lifecycle protection, end-to-end security.
  6. Be transparent, with users and providers alike.
  7. Be respectful, keep it user-centric.

 

Tip 2: Do a personal data audit sooner rather than later

The hardest part of any privacy project is understanding your current position on data processing and privacy compliance. Improvements only happen after you figure out what needs improving.

If your goal is to embed a culture of privacy into your organisation, a privacy audit will give you a snapshot of your current state of privacy awareness, the risks and impacts of your data processing, and level of compliance with relevant privacy regulations.

A privacy audit’s recommendations are based on your privacy goals, risk profile, available resources, and budget. Read more about our range of privacy auditing services here. [link to ‘Data Mapping & Gap Analysis’]

 

Tip 3: Industry frameworks (advanced privacy by design users only)

Here are some recently developed industry frameworks to help scale your programme and take it to the next level.

  • ISO 31700: Consumer protection – Privacy by design for consumer goods and services
  • NIST Privacy Framework version 1.0