Privacy by Design is a longstanding concept which organisations have had to become more familiar with over the last few years and has become an integral part of both modern privacy regulations (most famously, GDPR) and data subjects’ expectations.
Furthermore, recently, with the demand on businesses to provide remote working options in the wake of Coronavirus (Covid-19), data security and privacy have shot up the agenda as network- or device-based restrictions have become unrealistic, forcing many to adapt quickly.
For many businesses, this need to implement controls in a rush and across an unfamiliar-looking corporate network can make privacy by design seem to be a blocker to doing business – the exact opposite of what it aims to achieve.
Combatting this in organizations where data privacy has not historically been part of the fabric of the business is hard. Many businesses are “data privacy natives”, especially those that are in industries that are inherently reliant on the use of personal data (retail, travel, banking etc) and/or have started out in recent years.
But for those that still struggle with privacy and consider it a restriction, privacy leaders need to remind the rest of the business of the additional benefits that can come with privacy by design – benefits outside the obvious departments of IT, security and privacy, and that would often not be possible any other way.
How can Privacy by Design impact business commercially?
It’s important to remember that data privacy impacts data handling throughout entire organisations, meaning every process comes under scope. Therefore, working to inject greater rigour and governance into universal data processes will give businesses such visibility of their data that ancillary benefits cannot fail to follow.
These ancillary benefits can affect specific departments in particular as a result of a more quality-focused approach to working:
Marketing professionals could be forgiven for thinking that data privacy regulation is enough to make them refocus their entire marketing strategy. However, a better understanding of the data capture processes, rights and permissions, and what this means for ongoing communications, encourages marketers to work harder on targeting and on producing better campaigns that secure audience buy-in (manifested most typically in consent to receive more communications), which itself brings clear commercial benefits.
Similarly, development teams benefit as privacy is placed at the beginning of projects, and not permitted to be retrospectively added at the end of the timeline – as is usually the case. The latter approach almost guarantees that privacy becomes a “business blocker” as outputs are prohibited, objectives are suddenly made impossible to meet and time and effort is wasted. Place it at the beginning of the process, and ethical workarounds will be found from the outset that still allow the project to be a success.
Personal customer data is central to a sales function but privacy compliance changes how organisations collect, store and process it. But many sales teams keep customers’ personal data in a variety of places, and even acquire it from a number of sources.
Privacy by design could be the driver that organisations need to implement an effective, single customer management system (often one of the hardest things for businesses to achieve), and to put processes in place – alongside marketing – where customer data is sourced ethically and transparently, allowing sales teams to secure engagements with more willing audiences.
The HR department gathers its data from many different sources, and paper documents will be as common as digital files. Unfortunately, paper documents can pose a great risk to privacy compliance. But turning this on its head, Privacy by Design could be the impetus to consolidate all data into a unified platform – meaning that it can be easily located, anonymised if necessary and reported on as needed.
HR professionals will need to demonstrate that staff are aware of the data held about them, including how it is processed. They should also provide guidelines to staff about the retention period of their data, how they ensure the security of that data, and how it will be securely disposed of when no longer needed. This should not be regarded as a hurdle to jump through but rather as an opportunity to re-engage with existing employees and impress new hires with a demonstrable commitment to privacy.
One of the prerequisites of Privacy by Design is a clear picture of how data flows through the organisation – a living data map – including where data comes from and who it is shared with. This will help in establishing risk areas, such as which suppliers receive or provide personal data, what requirements do or do not exist in the procurement process, who targets EU or Californian citizens on the business’ behalf, and more.
Organisations should clearly define their requirements from suppliers at the outset and carry out appropriate due diligence and monitoring for privacy compliance on an ongoing basis. Embracing these principals in a positive way can lead to improved contractual negotiations, plus the removal of any risk of a third party’s actions undermining your brand.
The risk of privacy breaches is dramatically reduced in areas where automation processes have been put in place – provided they are of course built with a privacy by design outlook in the first place. And for many businesses, finance is the area that stands to benefit the most from automation – invoicing, reconciliations, audits and tax processes all typically rely on manual data collection processes, and almost always involve personal data.
Privacy by Design could be the trigger to investigating where and how to best automate some of these burdensome processes – something that has sat on the to-do list of many businesses, but has often been sidelined in favour of more urgent initiatives.
It is often said that privacy is more than just an IT or security issue. In the same way, the benefits of privacy by design span far further than just compliance. Framed and executed correctly, a privacy by design approach allows multiple departments to understand their data in more detail, see what is possible, know their audience better, act more ethically, and perform their roles more accurately and efficiently.
By Sophie Chase-Borthwick, Director of Privacy Services and Data Ethics, Calligo
Calligo is a data optimization and privacy specialist
Calligo believes that data privacy is the starting point to any interaction with data. Its unique collection of innovative cloud-based services covers the entire data journey, from capture and storage to analysis, monetization and archival – with data privacy embedded at every step.
These services include public & hybrid cloud, IT managed services, data analytics, artificial intelligence and archival & erasure services, all supported by ‘privacy-first’ data management consultancy and specific assistance with national, international and industry-specific data protection obligations.
Calligo’s public and hybrid cloud platforms were the first to be designed with data privacy at their core, rejecting the industry’s myopic focus on cloud basics such as uptime and scalability. Calligo has data centres in the United Kingdom, Jersey, Guernsey, Canada, Singapore and Luxembourg. Calligo’s managed services support, maintain and protect thousands of users, endpoints and servers across the globe. Calligo’s data analytics and artificial intelligence services will be available on either a typical subscription basis, or through an innovative utility computing consumption model, making these transformative technologies accessible to all businesses regardless of size or in-house expertise.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/