Pri­va­cy by Design – Asset Or Liability?

We all have the need for pri­va­cy in our lives. The right to keep those things that are so sen­si­tive and per­son­al that only our most trust­ed friends and fam­i­ly can know. Things like our finan­cial records, our med­ical his­to­ry or just aspects of our lives that are so inti­mate that to have them shared would be a per­son­al invasion.

In short, it’s our right to pri­va­cy. Our right to keep infor­ma­tion about our homes, our fam­i­ly and our­selves pri­vate. This statute is enshrined in UK law. Arti­cle 8 of the Human Rights Act pro­tects everyone’s enti­tle­ment to an unhin­dered per­son­al life, a fam­i­ly life, and pri­vate per­son­al cor­re­spon­dence (let­ters, tele­phone calls and emails, for example).

Pri­va­cy by Design And The GDPR

These civ­il lib­er­ties under­pin the GDPR leg­is­la­tion imple­ment­ed in May 2016 that gives EU cit­i­zens greater con­trol over the per­son­al infor­ma­tion that busi­ness­es and pub­lic bod­ies hold about them in paper­work, data­bas­es and IT systems.

Organ­i­sa­tions that fail to man­age this infor­ma­tion accord­ing to the GDPR prin­ci­ples would be sub­ject to a com­pli­ance breach that car­ries sub­stan­tial finan­cial penal­ties. Look at the recent British Air­ways and Mar­riott Hotels fines to see how expen­sive GDPR com­pli­ance fail­ures can be.

What Is Pri­va­cy by Design?

Pri­va­cy by design is not a new idea and, in prin­ci­ple, it’s not a com­plex one. It sim­ply means that an organ­i­sa­tion must design process­es that deal with per­son­al data in a way that ensures this infor­ma­tion is secure­ly protected.

Nei­ther is pri­va­cy by design a new and unique aspect of the GDPR; it was a cor­ner­stone prin­ci­ple of data pro­tec­tion laws long before the GDPR. What the GDPR did was to spec­i­fy the require­ments and make their absence a com­pli­ance breach.

And for the mil­lions of peo­ple whose data is held by these organ­i­sa­tions, the pri­va­cy by design ele­ments with­in the GDPR an undoubt­ed asset.

Is Pri­va­cy By Design Easy To Implement?

Under­stand­ably, the need to imple­ment pri­va­cy by design has caused con­cerns in many sec­tors. Some less tech­no­log­i­cal­ly savvy organ­i­sa­tions are some­what con­fused as to how to proceed.

This issue is espe­cial­ly acute for com­pa­nies grap­pling with their depen­den­cy on lega­cy sys­tems. Often these are part of a dif­fused IT struc­ture that is not ade­quate­ly inte­grat­ed and has few links between the dif­fer­ing data­bas­es. On paper, these are a GDPR night­mare. Lit­tle won­der these organ­i­sa­tions feel very exposed when try­ing to embed pri­va­cy by design under these circumstances.

To make the required changes would mean engag­ing in a com­pa­ny-wide tech­nol­o­gy and peo­ple trans­for­ma­tion exer­cise that takes time and comes at a high cost. Pri­va­cy by design, in this case, is a wor­ry­ing lia­bil­i­ty to those com­pa­nies who find them­selves in this position.

Is Pri­va­cy By Design About Training?

There will still be com­pa­nies who don’t have the required inter­nal exper­tise and strug­gle to under­stand the prin­ci­ples of the GDPR and the pri­va­cy by design con­cept. In this case, they run the risk of expend­ing unnec­es­sary ener­gy and apply­ing focus on the wrong areas with­in their pri­va­cy ecosys­tem. Per­haps they see GDPR as a train­ing issue as opposed to one that also needs to encom­pass their technology.

What­ev­er the rea­son, these organ­i­sa­tions may fail to derive the com­mer­cial ben­e­fits and risk reduc­tion aspects of pri­va­cy by design or be unclear of their com­pli­ance with the direc­tive. In this case, their approach to this area will be an ongo­ing liability.

How Detailed Do My Prepa­ra­tions Need To Be?

The jour­ney towards pri­va­cy by design com­pli­ance by an exter­nal con­sul­tant or the inter­nal IT Team could involve con­sid­er­ing the pri­va­cy impli­ca­tions at every step of their clients’ data jour­ney. This may include the con­cepts, sys­tem devel­op­ment activ­i­ties, plan­ning, mon­i­tor­ing and reporting.

This is a detailed and exact­ing exer­cise but one that may ulti­mate­ly offer greater flex­i­bil­i­ty for future data usage. It should also result in increased speed in deal­ing with and solv­ing data-relat­ed issues. This longer-term flex­i­bil­i­ty poten­tial­ly out­weighs the ini­tial costs of doing the exer­cise. In time, this work has the poten­tial to become an invalu­able busi­ness asset.

How Will Pri­va­cy By Design Affect Start-Ups?

Pri­va­cy by design can be an asset for start-ups and ear­ly-stage busi­ness­es. These firms, by their nature, may have an eas­i­er time imple­ment­ing pri­va­cy by design as they have the oppor­tu­ni­ty to do so ear­li­er in their devel­op­ment. Rather than play­ing catch up in the face of age­ing sys­tems and ingrained process­es, star­tups can set off on the right footing.

New com­pa­nies who view pri­va­cy by design prin­ci­ples as a busi­ness asset and not an incon­ve­nient lia­bil­i­ty could have a com­pet­i­tive advan­tage. At the very least, by embrac­ing these ideas from the out­set, com­pli­ance risks are huge­ly minimised.

Alter­na­tive­ly, a com­pli­ance breach at this stage of an organisation’s tra­jec­to­ry could mean game over’. A fledgeling brand tar­nished by bad pub­lic­i­ty and an unwel­come blow to the bot­tom line is unlike­ly to find favour with clients.

The use­ful idea here is that younger com­pa­nies have a clear choice. Make pri­va­cy by design part of the business’s asset base or risk them being a severe (and ongo­ing) liability.

Can Pri­va­cy Real­ly Be A Busi­ness Asset?

Whether it’s a start-up or a mature com­pa­ny grap­pling with the pri­va­cy by design prin­ci­ples, there is the oppor­tu­ni­ty to engage in a thought­ful trans­for­ma­tion process that has clear busi­ness advan­tages in tow.

The GDPR and the devel­op­ing pri­va­cy agen­da, when viewed with an open and opti­mistic stand­point, can have tremen­dous upside. The key here is to recog­nise these oppor­tu­ni­ties and cap­i­talise upon them. In that way, any com­pa­ny will­ing to address the issues head-on will be build­ing an endur­ing busi­ness asset.

The alter­na­tive is to dis­re­gard this impor­tant area and end up in the same place as BA, Mar­riot and a host of oth­ers who failed to under­stand that pro­tect­ing their clients’ pri­va­cy is not a lux­u­ry but a busi­ness imperative.

For a dis­cus­sion on how the Lex Solu­tions team can guide you on your com­pli­ance jour­ney to embed the prin­ci­ples of pri­va­cy by design that will help your organ­i­sa­tion make this a win­ning asset con­tact us direct­ly at chris@​lexsolutions.​com or manu@​lexsolutions.​com or call 0203 7451574.

Privacy by design

Further reading