We held a Dentons Privacy Community webinar on 10 June about “Embedding privacy by design and default into a compliance programme”. We had a great panel discussion and wanted to share a summary of key takeaways from the session.
Where do you start with Privacy by Design and Default?
- Prepare carefully: you need to know your business and its products well
- Connect with your C-Suite; the leadership needs to know you as DPO and why privacy by design is key to customer trust and avoiding bad PR, fines, claims and expensive retro-fitting. The right tone at the top is essential
- Spread the word via a network of Privacy Champions – they are your “eyes and ears” and can filter and identify issues that may need a DPIA
- Get ready to evangelize privacy across your organisation: sell the need for privacy by design in town halls and internal communications. Get the message out
How do you operationalise a DPIA?
- No “secret sauce” or single template
- Keep it simple! Avoid over-complex templates. If it is too complex, you and the business won’t use it
- Consider using only a few basic questions as a DPIA starter, and then expand during the process as needed based on complexity and risks
- There needs to be a “trigger” to activate the DPIA; you could embed this in the SDLC, agile software or procurement process
- Structure DPIA forms to channel the user to relevant questions / eliminate requests for irrelevant information
- Identifying pure business changes is harder: rely on the Privacy Champions to help identify this as needing a DPIA or data privacy input
- Consider third party DPIA tools – but they will need customisation and road testing
- Consider embedding Legitimate Interests Assessments within DPIA
- Decide whether to make your language GDPR-based (e.g. talking about DPIAs) or more global (e.g. talking about privacy assessments). Consider how best to get buy-in
- Bake in privacy controls to the product development lifecycle
How do you manage the Privacy Champion network?
- Ensure proper training is in place with regular meetings and input from the Privacy Champions
- Tie into HR appraisals, rewards and objectives
- Set limits on the commitments required of Privacy Champions so the role is not over-burdensome
- Consider a “proximity approach”: assess the right number of privacy champions and sub-delegation to more operational staff
- Consider data custodians and system owners who are responsible for specific data processing activities – they work with the Privacy Champions
How does local culture affect this?
- Take account of cultural approaches: there are differences within EU and across US States and other jurisdictions
- Consider whether you apply GDPR globally as starting point. Many deploy more region-specific frameworks