It’s easy to be overwhelmed when you think about the risks of failing to protect personal information. But we can reduce risk when we embed thinking about privacy into all stages of our work, rather than as a set of protections to be applied as an afterthought. This is what we call privacy by design.
Implementing business practices that address privacy are sometimes like bandages applied to an open wound: they’re reactionary measures meant to stop the leakage of personal information, not sure the ailment. The bandage is applied to existing processes, usually out of a need to comply with some regulation, and not taken very seriously.
The problem is that when a data breach occurs, the issue is much more serious than a flesh wound!
The incident didn’t occur because our business suffered an injury, it happened because we didn’t think hard enough about our internal processes to stop it before it happened.
“Privacy by design” is the term we use to build our privacy culture. It means that we plan ahead to adequately process and safeguard personal information before it’s too late.
This philosophy ensures we live up to global expectations and the rights of those who own the data we process or retain.
Principles of Privacy by Design
- Be Proactive, Not Reactive. We don’t wait for privacy issues to surprise us.
- It’s Our Default Setting. Privacy should be protected even if the individual does nothing—it’s built in by default.
- Privacy Is Embedded. Privacy is embedded into the design of our business processes, and the architecture of our IT systems. It’s an integral component of our day-to-day work, not an afterthought.
- Privacy Has a Positive-Sum Outcome. We seek to accommodate the interests of all parties in a win-win manner.
- Full Lifecycle Protection. We protect data during its entire lifecycle.
- Visibility, Transparency, Openness. Every business practice and technology we use lives up to our promise.
- Respect. We ethically protect our data subjects, with their interests in mind.
Questions to Get Started
- What is the nature of the information I’m handling?
- What are the legitimate objectives of the parties involved with the sensitive information?
- What can I do to secure private information as part of my regular business operations?
- How can I integrate privacy into my work without diminishing functionality or productivity?
- Do our security measures adequately safeguard the data at every stage of its time in our possession?
- How are we honoring a data subject’s right to view their data?
- Are we using procedures that make it easy for outside parties to understand and verify the data we retain?
- If I were one of our customers, what impression would I get from the experience of trusting secure information with our organization?