We held a Dentons Privacy Community webinar on 10 June about “Embedding privacy by design and default into a compliance programme”.  We had a great panel discussion and wanted to share a summary of key takeaways from the session.

Where do you start with Privacy by Design and Default?

  • Prepare carefully: you need to know your business and its products well
  • Connect with your C-Suite; the leadership needs to know you as DPO and why privacy by design is key to customer trust and avoiding bad PR, fines, claims and expensive retro-fitting. The right tone at the top is essential
  • Spread the word via a network of Privacy Champions – they are your “eyes and ears” and can filter and identify issues that may need a DPIA
  • Get ready to evangelize privacy across your organisation: sell the need for privacy by design in town halls and internal communications. Get the message out

How do you operationalise a DPIA?

  • No “secret sauce” or single template
  • Keep it simple! Avoid over-complex templates. If it is too complex, you and the business won’t use it
  • Consider using only a few basic questions as a DPIA starter, and then expand during the process as needed based on complexity and risks
  • There needs to be a “trigger” to activate the DPIA; you could embed this in the SDLC, agile software or procurement process
  • Structure DPIA forms to channel the user to relevant questions / eliminate requests for irrelevant information    
  • Identifying pure business changes is harder: rely on the Privacy Champions to help identify this as needing a DPIA or data privacy input
  • Consider third party DPIA tools – but they will need customisation and road testing
  • Consider embedding Legitimate Interests Assessments within DPIA
  • Decide whether to make your language GDPR-based (e.g. talking about DPIAs) or more global (e.g. talking about privacy assessments). Consider how best to get buy-in
  • Bake in privacy controls to the product development lifecycle

How do you manage the Privacy Champion network?

  • Ensure proper training is in place with regular meetings and input from the Privacy Champions
  • Tie into HR appraisals, rewards and objectives
  • Set limits on the commitments required of Privacy Champions so the role is not over-burdensome
  • Consider a “proximity approach”: assess the right number of privacy champions and sub-delegation to more operational staff
  • Consider data custodians and system owners who are responsible for specific data processing activities – they work with the Privacy Champions

How does local culture affect this?

  • Take account of cultural approaches: there are differences within EU and across US States and other jurisdictions
  • Consider whether you apply GDPR globally as starting point.  Many deploy more region-specific frameworks
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Nick Graham

About Nick Graham

Nick Graham is the Global Co-Chair of Dentons' Privacy and Cybersecurity Group. He specialises in data privacy, cybersecurity, information governance. Nick advises across all sectors including retail, telecoms, energy, manufacturing, banking, insurance, transport, technology and digital media.

Full bio

RELATED POSTS