Ten Steps to a Quality Privacy Program, Part Three: Privacy By Design Tools
By Deidre Rodriguez, CIPP/US
As privacy professionals, we know that the best defense in privacy is to prevent the occurrence of incidents and risk in the first place. That is the entire concept behind privacy by design. Privacy by Design (PbD) is incorporating data protection throughout the life cycle of processes, both technological and business. It is a preventative, proactive approach to privacy. We are all familiar with the term, but application can be more difficult. Where do you start and how do you develop tools that will help reduce privacy risk and assist the organization in applying the proper controls on the front end? The tools and methods used can be as simple or complex as needed to address the risk for your organization.
Determine What Tools Are Needed and Where
First, you must determine where tools are needed. Look to your risk assessment and your risk ranking scores. They should tell you where your highest risks are. If you did not apply risk ranking scores when you did your risk analysis, there are other ways to get there. You, as a privacy professional, will have a good idea of what the biggest risks to your organization are. Listen to your gut. What keeps you up at night? Make a list of those risks that you identify. Those are your opportunities to imbed PbD tools, controls and concepts. Narrow your list; hone in on areas where you can have impact by applying PbD.
Where can you build tools, technological solutions and procedures into existing processes? What kind of tools do you need? That will vary and will be specific to your organization. For each risk that you listed, identify related system and business owners of processes related to those risks. They will be the key to successfully implementing PbD tools and controls that work and are efficient—not cumbersome. Engage those business owners and understand their roles and processes in depth. Review work flows and look for front-end points in technology and processes where controls can be embedded.
For example, if you have identified one of your risks as new projects that are missing essential data protection controls, is there one business area or approval process that all of projects flow through before they are initiated? Is there a business owner or multiple business owners that are responsible for developing business and technical requirements for those projects? Those are the people that you want to talk to.
Once you have identified the business owner, understand their processes and identify opportunities for imbedding tools, checklists, stop points and signoffs, certifications, technological solutions or other solutions that will control the risk. What type of tool is needed? Will a simple checklist suffice? Are more sophisticated tools needed? This will be specific to each organization or process. Identify the controls that need to be implemented to address the risks. Identification of the proper controls is essential to success. Those controls may vary depending on the organizational complexity, technological capability and the resources available; and they can be simple or complex. Reviewing the work flow or process map will help you identify places in the process that have privacy impact points (access points, points where the amount of data can be limited, transmission of data points, disclosure points) and where controls can be imbedded. Again, making a list will help. List the privacy impact points and options for controls that could be built into those points. At the end of this, you will have several options for how data protection can be built into any system or process. Talk to your business owners and technological team to identify what will work best for your organization; keep it simple, and select those that will have the least negative impact on people involved in the process.
Once you have built your solution, be sure to test your controls. Perform a small pilot to ensure that what you have built controls what you were intending for it to control prior to rolling it out on a larger scale. Measure how the controls have reduced risk and how successful your PbD solution is in solving your problem. And as always, continually monitor and test to ensure that risks stay reduced andthat the solution continues to be sufficient for your organization and to identify opportunities for improvement and modification.
Deidre Rodriguez, CIPP/US, has actively been working in privacy compliance for 10 years, including policy development, incident response, advisory support and strategic planning. Currently, Deidre is the director of the Corporate Privacy Office and Regulatory Oversight for WellPoint, Inc.
Read more by Deidre Rodriguez:
Ten Steps to a Quality Privacy Program: Part Two: Risk Assessments
10 Steps to a Quality Privacy Program: Part One
Ten Steps to a Quality Privacy Program: Taking Your Program to the Next Level