Why a Data Privacy Compliance Journey Should Start with Privacy by Design

Global interest in privacy has led to a recent explosion in privacy-centric legislation.

Consequently, organizations of all sizes find themselves in the difficult position of having to implement and maintain compliance with a host of complex regulations rife with regional peculiarities.

Privacy by Design (PbD), and its EU version Data Protection by Design (DPbD), aim to implement privacy controls from the outset. As such, PbD can be an effective starting-point for a de-facto “common denominator” approach to compliance compatible with a large number of privacy frameworks. And yet, despite its potential, both PbD and DPbD receive scant attention. One reason for this may be the focus upon system design and technical information, which are often difficult to digest for compliance personnel.

How to derive actionable PbD requirements for compliance purposes? What is the real potential of PbD at the global level? What is the precise mandate of DPbD as introduced by the General Data Protection Regulation and applicable since 2018? And how can trusted architectures support DPbD strategies?   

In two newly-released whitepapers, I argue that PbD is the key to unlock global compliance strategies and make them scalable. Throughout both whitepapers, I provide the beginnings of a framework for operationalizing both PbD and DPbD, illustrating how technical and compliance roles should closely collaborate to produce effective compliance strategies within organizations.  

PbD requirements are essentially fair information practices baked into the design of IT systems. They are derived from 9 key principles, which should lead to the implementation of specific sets of control measures: purpose specification, data minimization, accuracy, lawfulness and fairness, purpose limitation, integrity and confidentiality (e.g., security), transparency, intervenability, and accountability. While this may be surprising to some, these principles make sense for most privacy laws already adopted or in the making, including the California Consumer Privacy Act, the Brazilian General Data Protection Law ,and even the old US Health Insurance Portability and Accountability Act of 1996. 

This is true even in the EU, where the data protection framework now includes a binding DPbD obligation imposed upon data controllers. This is because GDPR Article 25 refers to both the necessity to bake all data protection principles before the start of the processing as well as the necessity of implementing safeguards to protect the rights of data subjects. 

To learn more about how technical and compliance roles can closely collaborate to produce effective compliance strategies within your organization, download our white paper, Immuta & Data Protection by Design: Making the GDPR Work for Your Data Analytics Environments.


Related stories