Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

Dentons Privacy Community does Privacy by Design

By Nick Graham
June 18, 2020
  • Accountability
  • General
Share on Facebook Share on Twitter Share via email Share on LinkedIn

We held a Dentons Privacy Community webinar on 10 June about “Embedding privacy by design and default into a compliance programme”.  We had a great panel discussion and wanted to share a summary of key takeaways from the session.

Where do you start with Privacy by Design and Default?

  • Prepare carefully: you need to know your business and its products well
  • Connect with your C-Suite; the leadership needs to know you as DPO and why privacy by design is key to customer trust and avoiding bad PR, fines, claims and expensive retro-fitting. The right tone at the top is essential
  • Spread the word via a network of Privacy Champions – they are your “eyes and ears” and can filter and identify issues that may need a DPIA
  • Get ready to evangelize privacy across your organisation: sell the need for privacy by design in town halls and internal communications. Get the message out

How do you operationalise a DPIA?

  • No “secret sauce” or single template
  • Keep it simple! Avoid over-complex templates. If it is too complex, you and the business won’t use it
  • Consider using only a few basic questions as a DPIA starter, and then expand during the process as needed based on complexity and risks
  • There needs to be a “trigger” to activate the DPIA; you could embed this in the SDLC, agile software or procurement process
  • Structure DPIA forms to channel the user to relevant questions / eliminate requests for irrelevant information    
  • Identifying pure business changes is harder: rely on the Privacy Champions to help identify this as needing a DPIA or data privacy input
  • Consider third party DPIA tools – but they will need customisation and road testing
  • Consider embedding Legitimate Interests Assessments within DPIA
  • Decide whether to make your language GDPR-based (e.g. talking about DPIAs) or more global (e.g. talking about privacy assessments). Consider how best to get buy-in
  • Bake in privacy controls to the product development lifecycle

How do you manage the Privacy Champion network?

  • Ensure proper training is in place with regular meetings and input from the Privacy Champions
  • Tie into HR appraisals, rewards and objectives
  • Set limits on the commitments required of Privacy Champions so the role is not over-burdensome
  • Consider a “proximity approach”: assess the right number of privacy champions and sub-delegation to more operational staff
  • Consider data custodians and system owners who are responsible for specific data processing activities – they work with the Privacy Champions

How does local culture affect this?

  • Take account of cultural approaches: there are differences within EU and across US States and other jurisdictions
  • Consider whether you apply GDPR globally as starting point.  Many deploy more region-specific frameworks
Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Nick Graham

About Nick Graham

Nick Graham is the Global Co-Chair of Dentons' Privacy and Cybersecurity Group. He specialises in data privacy, cybersecurity, information governance. Nick advises across all sectors including retail, telecoms, energy, manufacturing, banking, insurance, transport, technology and digital media.

All posts Full bio

RELATED POSTS

  • Data Transfers
  • Europe
  • General
  • United States

Agreement For A New Trans-Atlantic Data Privacy Framework Announced

On March 25, 2022, the United States and European Commission announced by joint statement an agreement in principle on a […]

By Allison Bender, Todd Daubert, Simon Elliott, and Michael Kar
  • General

Article 29 Working Party adopts document on BCRs for processors

Following our recent blog post, the Article 29 Working Party has adopted a document (WP195) on Binding Corporate Rules (“BCRs”) for processors […]

By Tristan Jonckheer
  • General

Recent Developments and Decisions Under Circular 230

Laura Gavioli has published an article in the June-July issue of the Journal of Tax Practice & Procedure.  The piece addresses […]

By and

About Dentons

Dentons is designed to be different. As the world’s largest law firm with 20,000 professionals in over 200 locations in more than 80 countries, we can help you grow, protect, operate and finance your business. Our polycentric and purpose-driven approach, together with our commitment to inclusion, diversity, equity and ESG, ensures we challenge the status quo to stay focused on what matters most to you. www.dentons.com

Dentons boilerplate image

Twitter

Categories

  • Accountability
  • Asia Pacific
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Latin America
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Notices
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2023 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site