Key takeaways:
- You can’t incorporate Privacy by Design into an organization without top-down support from your executives.
- Defining PBD in exact terms varies among privacy leaders. For some, it’s a philosophy for how to incorporate privacy into an organization, while others are taking a very structured, framework-based approach.
- Your approach to PBD will have implications on where and how it is implemented. For companies where the concept means a greater focus on building in privacy principles as new programs come on board, they implement these principles by carrying out reviews and assessments. However, addressing privacy concerns for existing systems poses a different set of challenges.
As a data privacy leader, you understand that being proactive in managing privacy risks yields far greater results than reacting to emerging issues and retrofitting new systems.
This is precisely why Privacy by Design (PBD) principles advocate for integrating good privacy practices right from the start when designing or implementing products, infrastructure, or business processes.
Yet, integrating these principles into the day-to-day of your systems and operations can be a massive undertaking.
Recently, the Data Privacy Board hosted a panel on Operationalizing PBD at a Large Enterprise where senior privacy leads at Bose, Northwestern Mutual, and Merck convened to share actionable advice on building PBD principles into your organization.
Panelists addressed the importance of securing top-level buy-in, defining what PBD means in terms of your organizational culture, and shed light on the pivotal role of proactive privacy strategies in fostering trust and compliance.
You Can’t Drive a Privacy-First Strategy Without Executive Support
From Left: Evan Fleischer, Tom Holtan, Andy Keller, and Daniel Fisher.
To successfully incorporate PBD principles into your enterprise’s operations, C-suite support is paramount.
As Merck Director of Digital and Data Daniel Fisher said during the panel, “Top-down management impacts everything we do.”
Leadership endorsement signals the importance of privacy throughout the organization and enables you to foster a culture where privacy is ingrained in every aspect of the organization’s operations and decision-making processes.
Evan Fleischer, Legal Counsel at Bose, echoed this sentiment and said the desire to do right by their customers drives and helps inform their strategy and privacy impact assessment (PIA) process.
Evan further highlighted the value of employee engagement and support for privacy. At Bose, he said they often proactively reach out with potential privacy concerns or ideas.
“That really helps drive not just the things we’re aware of and initiatives we’re aware of, but identifying other areas that might need a better privacy eye,” he said.
Defining Privacy by Design at Your Organization — Philosophy or Framework?
Adapting culture and enterprise processes takes time, so it’s important to consider that operationalizing PBD and its seven foundational principles is a continual process.
In fact, Data Privacy Board members came together in our confidential community at the end of last year to benchmark where they are on their PBD journeys.
In a poll of attendees, 61% of members classified their maturity as “in process,” and just one member felt their company was mature or close to mature in this area.
Members also acknowledged at the outset and throughout the conversation that defining “PBD” in exact terms isn’t something they feel very solid about.
For some, it’s more of a conceptual outlook for how to incorporate privacy in the practices of an organization, while others are taking a very structured, framework-based approach.
This philosophy versus framework question was also mentioned during the public panel discussion, where a hybrid definition surfaced.
Northwestern Mutual Senior Director of Privacy Tom Holtan said they view it as both philosophy and framework.
At the conceptual level, he said it’s essential this philosophy and a privacy-first culture is adopted enterprise-wide from senior leadership down to frontline employees.
When it comes to actually implementing these principles into your operations, panelists shed light on the importance of your risk and assessment process.
“The only way to embed PBD is to have your flags, checkpoints, processes, and audit capabilities to make sure that you’re actually embedding those principles into day-to-day operations, ” Daniel said.
How to Define Your Approach to Privacy by Design
“The only way to embed PBD is to have your flags, checkpoints, processes, and audit capabilities to make sure that you’re actually embedding those principles into day-to-day operations.”
Daniel Fisher, Director of Digital and Data at Merck
During the Data Privacy Board member’s private discussion, there was a conversation about how you structure your approach and the implications for where you can implement PBD.
For companies where the concept means a greater focus on building in privacy principles as new programs come on board, they implement these principles by carrying out reviews and assessments throughout the project’s life cycle rather than retrofitting.
However, addressing privacy concerns for existing systems poses a different set of challenges. Members shared various strategies, including tiering vendors based on risk and conducting reviews in 1-3 year cycles, leveraging data governance processes to identify unknown legacy systems and actively involving themselves in the sourcing and procurement process.
At Northwestern Mutual, Tom said the privacy team is very intentional about their risk and assessment process, which he called “one of the most effective levers in ensuring we have a seat at the table.”
By deploying consultants for the review and assessment process across the organization, they ensure that technological deployments and process changes are accounted for and reviewed through a PBD lens, enabling them to proactively embed privacy principles.
This approach allows the team to stay attuned to what’s changing throughout the enterprise and ensure privacy principles are baked in from the outset.
While PBD provides a great framework, Tom said there’s still a lot of gray area. He said there’s not a singular checklist, and that’s what makes this journey challenging.
“So much of what we do is around the context of a specific request, and every request is a little different,” Tom said. “There are general principles, but what we found is by aligning with our second line partners across the company, we’re able to get that context and give that right level to keep that consumer perspective in mind and keep data protected.”
In essence, while PBD offers a solid foundation, its successful implementation requires a nuanced approach that considers the unique challenges and contexts within each organization. Collaboration and proactive engagement across various stakeholders are essential to navigate the complexities of privacy management effectively.
“What we found is by aligning with our second line partners across the company, we’re able to get that context and give that right level to keep that consumer perspective in mind and keep data protected.”
Tom Holtan, Senior Director of Privacy at Northwestern Mutual
Benchmark With Your Peers at Other Large Companies
It’s clear there’s no one-size-fits-all approach to operationalizing PBD, and the advice shared by panelists is just scratching the surface of this topic.
Data Privacy Board members are able to gut-check their strategies in a completely confidential space.
Interested in learning more about how the community could help support your program’s needs? Get in touch below.
