24 Sep 2019

Privacy by Design – Asset Or Liability?

We all have the need for privacy in our lives. The right to keep those things that are so sensitive and personal that only our most trusted friends and family can know. Things like our financial records, our medical history or just aspects of our lives that are so intimate that to have them shared would be a personal invasion.

In short, it’s our right to privacy. Our right to keep information about our homes, our family and ourselves private. This statute is enshrined in UK law. Article 8 of the Human Rights Act protects everyone’s entitlement to an unhindered personal life, a family life, and private personal correspondence (letters, telephone calls and emails, for example).

Privacy by Design And The GDPR

These civil liberties underpin the GDPR legislation implemented in May 2016 that gives EU citizens greater control over the personal information that businesses and public bodies hold about them in paperwork, databases and IT systems.

Organisations that fail to manage this information according to the GDPR principles would be subject to a compliance breach that carries substantial financial penalties. Look at the recent British Airways and Marriott Hotels fines to see how expensive GDPR compliance failures can be.

What Is Privacy by Design?

Privacy by design is not a new idea and, in principle, it’s not a complex one. It simply means that an organisation must design processes that deal with personal data in a way that ensures this information is securely protected.

Neither is privacy by design a new and unique aspect of the GDPR; it was a cornerstone principle of data protection laws long before the GDPR. What the GDPR did was to specify the requirements and make their absence a compliance breach.

And for the millions of people whose data is held by these organisations, the privacy by design elements within the GDPR an undoubted asset.

Is Privacy By Design Easy To Implement?

Understandably, the need to implement privacy by design has caused concerns in many sectors. Some less technologically savvy organisations are somewhat confused as to how to proceed.

This issue is especially acute for companies grappling with their dependency on legacy systems. Often these are part of a diffused IT structure that is not adequately integrated and has few links between the differing databases. On paper, these are a GDPR nightmare. Little wonder these organisations feel very exposed when trying to embed privacy by design under these circumstances.

To make the required changes would mean engaging in a company-wide technology and people transformation exercise that takes time and comes at a high cost. Privacy by design, in this case, is a worrying liability to those companies who find themselves in this position.

Is Privacy By Design About Training?

There will still be companies who don’t have the required internal expertise and struggle to understand the principles of the GDPR and the privacy by design concept. In this case, they run the risk of expending unnecessary energy and applying focus on the wrong areas within their privacy ecosystem. Perhaps they see GDPR as a training issue as opposed to one that also needs to encompass their technology.

Whatever the reason, these organisations may fail to derive the commercial benefits and risk reduction aspects of privacy by design or be unclear of their compliance with the directive. In this case, their approach to this area will be an ongoing liability.

How Detailed Do My Preparations Need To Be?

The journey towards privacy by design compliance by an external consultant or the internal IT Team could involve considering the privacy implications at every step of their clients’ data journey. This may include the concepts, system development activities, planning, monitoring and reporting.

This is a detailed and exacting exercise but one that may ultimately offer greater flexibility for future data usage. It should also result in increased speed in dealing with and solving data-related issues. This longer-term flexibility potentially outweighs the initial costs of doing the exercise. In time, this work has the potential to become an invaluable business asset.

How Will Privacy By Design Affect Start-Ups?

Privacy by design can be an asset for start-ups and early-stage businesses. These firms, by their nature, may have an easier time implementing privacy by design as they have the opportunity to do so earlier in their development. Rather than playing catch up in the face of ageing systems and ingrained processes, startups can set off on the right footing.

New companies who view privacy by design principles as a business asset and not an inconvenient liability could have a competitive advantage. At the very least, by embracing these ideas from the outset, compliance risks are hugely minimised.

Alternatively, a compliance breach at this stage of an organisation’s trajectory could mean ‘game over’. A fledgeling brand tarnished by bad publicity and an unwelcome blow to the bottom line is unlikely to find favour with clients.

The useful idea here is that younger companies have a clear choice. Make privacy by design part of the business’s asset base or risk them being a severe (and ongoing) liability.

Can Privacy Really Be A Business Asset?

Whether it’s a start-up or a mature company grappling with the privacy by design principles, there is the opportunity to engage in a thoughtful transformation process that has clear business advantages in tow.
The GDPR and the developing privacy agenda, when viewed with an open and optimistic standpoint, can have tremendous upside. The key here is to recognise these opportunities and capitalise upon them. In that way, any company willing to address the issues head-on will be building an enduring business asset.

The alternative is to disregard this important area and end up in the same place as BA, Marriot and a host of others who failed to understand that protecting their clients’ privacy is not a luxury but a business imperative.
For a discussion on how the Lex Solutions team can guide you on your compliance journey to embed the principles of privacy by design that will help your organisation make this a winning asset contact us directly at chris@lexsolutions.com or manu@lexsolutions.com or call 0203 7451574.