With the EU’s 2018 General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), which became effective January 2020, and the patchwork of U.S. state privacy regulations that continue to roll out, privacy has been a hot topic in the media as of late. But what exactly is “privacy,” and how can your company address privacy concerns from the get-go?
At a very high level, privacy is the right to be let alone. “Data privacy” or “information privacy” relates more specifically to an individual’s right to control how his or her personally identifiable information is collected, used, processed, stored, disclosed, sold, and deleted. While the definition of “personally identifiable information” varies based on the applicable statute, it generally encompasses any information which can be used to distinguish or trace and individual’s identity (e.g., a name, social security number, tax ID, driver’s license number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual.
Privacy by Design, a foundational concept of the GDPR and CCPA, is a set of seven principles that integrates privacy into the creation and operation of new devices, IT systems, networked infrastructure, and corporate policies. As an emerging growth company, you are uniquely positioned to embed the following principles into the very fabric of your organization from the outset, mitigating the risk of an adverse privacy-related incident during your growth.
- Proactive not Reactive; Preventative not Remedial. Think about data privacy and make it a priority from the start.
- Make a clear commitment, at the highest levels, to set and enforce high standards of privacy – and make this part of your mission statement.
- Develop an inventory of personal data and document data flows (e.g., between systems, between processes, between countries); conduct regular privacy impact assessments to identify potential weaknesses and mitigate the risk of a breach.
- Privacy as the Default Setting. Give consumers the maximum privacy protection as a baseline.
- Collect only the minimum amount of personal data necessary for a legitimate business purpose.
- Limit the use, retention, and disclosure of personal data to the relevant purposes communicated to the individual, for which he or she has consented.
- Keep personal data only as long as necessary to fulfil the stated purposes, and then securely destroy it.
- Privacy Embedded into Design. Make data privacy integral to your business practices and operational infrastructure.
- Integrate privacy considerations into your IT systems (e.g., through firewalls, passwords, encryption, data aggregation, pseudonymization, de-identification) and operational training (e.g., HR, marketing, call centers)
- Include privacy and data security provisions in agreements and contracts with third parties (e.g., clients, vendors, processors, affiliates)
- Full Functionality – Positive-Sum, Not Zero-Sum. Remember that privacy should not compete with other business interests or compromise your business goals. It should align with and advance your company objectives in a win-win manner, without diminishing functionality.
- End-to-End Security – Full Lifecycle Protection. Implement cradle-to-grave, secure lifecycle management of information.
- Incorporate reasonable security measures, including administrative (e.g., access control), technical (e.g., encryption), and physical (e.g., locks, employee device policies), to safeguard personal data throughout its lifecycle.
- Ensure that all data is securely collected, retained, and then destroyed in a timely manner.
- Develop and maintain a data privacy incident/breach response plan.
- Visibility and Transparency – Keep it Open. Make sure that your privacy practices are clear for consumers.
- Draft detailed and updated (at least yearly) privacy policies that specify exactly what data you collect and what you do with it.
- Demonstrate accountability by documenting compliance efforts and communicating privacy practices to stakeholders.
- Respect for User Privacy – Keep it User-Centric. Keep data accurate and give control to the consumer.
- Maintain the confidentiality and integrity of personal data (e.g., by making sure that the data is accurate, complete, and up-to-date).
- Give consumers the rights to access, modify, delete, or restrict the use or sale of their personal data, and, where possible, obtain consent for the use of personal data.
If your company seeks to collect and use personal information as part of your business plan, you may want to consider incorporating the above Privacy by Design principles into your everyday business practices as a means to ultimately build trust with consumers, attract investors, and reduce potential liability through proactive planning.
In a pandemic world, with remote working and learning vastly increasing the amount of data – including personal data – being collected, transmitted, and processed, implementing these best practices as a foundational strategy is more important than ever.
The Privacy by Design principles were originally developed by Ann Cavoukian, Ph.D., former Information & Privacy Commissioner for the Canadian province of Ontario.