“Privacy by design” is a powerful concept, but what does it actually look like in action?
The privacy by design framework was first developed in 1995 and formally published in 2009 by Ann Cavoukian, and has since become internationally recognized as a best practice, even mandated by General Data Protection Regulation (GDPR). It’s no wonder the framework has become so popular in privacy communities with these credentials, but even fifteen years later, many organizations struggle to embed its principles effectively across their organizations..
Read on to learn more about the foundations of privacy by design and how today’s privacy practitioners are successfully implementing the framework.
What is privacy by design?
The privacy by design framework lists seven foundational principles:
- Proactive not reactive; preventative not remedial
- Privacy as the default setting
- Privacy embedded into design
- Full functionality — positive-sum, not zero-sum
- End-to-end security — full lifecycle protection
- Visibility and transparency
- Respect for user privacy
The sum impact of these guidelines is to design systems with privacy in mind from the beginning, maximizing privacy rights offered, and align security work with privacy goals. Each of these concepts sounds great to a privacy professional, but building buy-in internally, especially for an organization not held to GDPR, can be another matter.
We connected with our community to hear more from privacy practitioners about how they are transitioning privacy by design to a theoretical ideal to a practical reality in their organizations.
The Ethics of Privacy by Design
Some privacy professionals evangelize privacy by design by focusing on the heart of the matter. Take Mohit Palriwal, Senior Software Engineer at Netflix:
Privacy is a fundamental human right that must be respected. I advocate for
transparency in data practices to build trust and ensure accountability. We embed
privacy considerations into systems from the start. Balancing innovation with
privacy demonstrates that robust data protection can coexist with business growth.
I urge organizations to go beyond compliance and adopt a principled approach to
handling personal information.
Privacy by Design as a Revenue Driver
Privacy by design isn’t important exclusively because it’s the right thing to do. Strong data privacy also builds consumer trust, attracting and retaining more customers. As privacy laws gain more visibility, consumers increasingly expect and assume privacy from the products and services they interact with. Brands that fail to meet these expectations risk damaging their reputation.
Ian Van Heyst, VP of IT Security & Data Privacy at FirstService Corp, adds:
Putting customer experience and trust foremost gets more buy-in from peers and
leadership than just citing regulatory compliance.
Preston Byargeon, Principal Security Analyst II at Qualtrics, highlights the strategic importance of privacy in securing new customers:
Privacy and compliance opens doors for large scale customers. Building in privacy
in our design is a best practice to deliver high quality services that our customers
expect.
Privacy by Design is Operationally Efficient
Privacy regulations are constantly changing. Not only are new state privacy laws being introduced every year, but existing privacy laws are continuously amended, newly adopted tech like AI and biometric data tracking are attracting legislation of their own. Striving for minimum compliance in all regions isn’t scalable – it demands ongoing and customized work to meet evolving unique requirements. It is far more efficient to build your business around the principles of privacy by design and do the work just once, from the start.
Kacee Taylor, Head of Privacy and Compliance at Vercel, states simply:
Integrating privacy by design principles into business operations, including the software development lifecycle, increases operational efficiency and mitigates risk. It is a proactive, preventative approach that brings internal stakeholders along for the journey and considers privacy as the default when building core functionality.
This is especially true for organizations in complex regulatory landscapes. Take Yasmin Gamboa, Associate General Counsel and Privacy Officer at PresenceLearning’s advice:
By implementing privacy by design, we ensure that privacy safeguards are integrated at the inception of new technologies and processes rather than retrofitted later. A privacy-first mindset isn’t just about compliance; it’s about cultivating trust in a world where regulations evolve faster than the latest tech trends. In both EdTech and HealthTech, a proactive approach to privacy allows us to stay nimble, adaptive, and ahead of the curve, all while maintaining the confidence of those who matter most—our users.
Putting Privacy by Design into Action
Conceptual buy-in is only the first step; your team will need a privacy leader’s support to put privacy by design into practice. Gregg Dessen, who currently serves as the Head of Product: Privacy, Security & Compliance at Rakuten Rewards, breaks this process down into four steps:
- Keep Product informed on privacy. Work with Legal and policy assessment partners to interpret how new regulations may impact your business and keep product development teams regularly and promptly informed.
- Maintain broad visibility. Extend privacy education beyond product development teams (for example, executives and other leaders) to ensure organizational understanding of the privacy landscape and solicit inputs for critical, complex decisions that may impact the business.
- Document the data lifecycle. Partner with Product, Engineering, and other data stakeholders to audit and document the full user data lifecycle within your products, features, and systems. This should include practices of data collection, storage, use, sharing, retention, and deletion. Seek to understand the business purposes and rationales behind these decisions, differentiating intentional vs. incidental data structures.
- Refresh often. Conduct regular reviews across Product teams to ensure that the sanctity of regulatory compliance and user best interests are not compromised. It’s helpful to conduct reviews early and toward the end of product development, but also recommended to revisit every 6-12 months.
How are you making privacy by design a reality at your workplace? Join the discussion in our private slack community, Privacy Basecamp.