Privacy by Design
In their rush to market their products or services, many startups inadvertently overlook potential legal obligations. For startups, overlooking privacy and data protection could be extremely costly. These costs could arise from system redesign and development activities and fines, particularly from the European Union’s new General Data Protection Regulation (GDPR)that goes into effect May 25, 2018. Fines under the GDPR may reach as high as 4% of global revenue or $20 million dollars in situations in which the breached entity has ignored its privacy obligations.
To avoid such penalties, startups should seek to implement “privacy by default” (or design) from the outset. This is a specific requirement of the GDPR, but should be combined with all other legal, contractual and voluntary obligations like ISO and other frameworks.
1. Compliance Risk Assessment
The first step is essentially a compliance risk assessment to determine criticality and prioritizations to drive future action.
2. Privacy Impact Assessment
The compliance risk assessment is focused on the information security of the organization. A Data Protection Impact Assessment (DPIA) is required to assess the potential risks to the “rights and freedoms” of the covered data subjects as their data is processed by the startup. The DPIA’s requirements and nuances are addressed in Article 35 of the GDPR and Working Paper 29.
3. Privacy by Default Architecture
After understanding the potential privacy risks inherent in the data processing, the system should be designed to minimize the data collected, delete data when no longer required for its original purpose, give access to the data subject, and give individuals control over how much data is shared with other organizations. The design principle in each of these areas should be construed to maximize the data subject’s privacy, not the processor’s anticipated benefit. Decisions, rationale, and resulting actions should be documented and maintained for each system to be revisited as part of the required DPIA process.
4. Assignment of Responsibilities
Data privacy programs typically fail for two reasons: 1) Lack of executive support, or 2) Risk ownership is missing. The policies should be structured to clearly assign responsibilities and communicate that data subject privacy is everyone’s responsibility. This begins at the Board and executive level and this “tone at the top” should permeate down to all levels of the organization. The privacy risks identified in the DPIA should have owners clearly assigned to mitigate and monitor those risks. Accountability should be distributed across the organization where it makes the most sense. It cannot lie with IT, Legal, or HR alone.=
5. Privacy Safeguards
To support the “privacy by design” architecture, controllers and processor must identify the appropriate administrative and technical safeguards to implement. These should first be reduced to policies and other process documentation appropriate for the organization’s size and scope of processing. The policies should outline management’s intent to implement, monitor, and enforce the privacy safeguards.
6. Technical Safeguards
Article 32 requires the controller and process to implement “appropriate technical measures” appropriate to the risk. Common technologies used to protect privacy include tools that:
Map data flows
Map devices and networks
Identify and track assets
Secure the network perimeter
Encrypt data in-transit and at-rest
Secure servers and endpoints
Prevent data leakage and exfiltration
Log and aggregate security incidents
Restore the availability and access to personal data
Manage the consent lifecycle
All users should be appropriately trained based on their role and potential access to data. This training should be conducted at the time of hire and continually enforced thereafter. Training content should specifically focus on the controller’s system, implemented safeguards, and data subjects’ privacy risks.
Privacy by design cannot be sustained without a process for regularly testing, assessing and evaluating the effectiveness of the privacy safeguards. A monitoring plan should be developed to ensure continuous security of the data processing. The plan should include the scope, methods, roles, frequency, and reporting or escalation procedures. Implement and execute the monitoring plan to provide continuous improvement of the privacy safeguards. The risk owner and other stakeholders should collaborate to determine whether any external notification is required.
Monitoring results need to be analyzed to determine the root cause of any deficiency. Once analyzed, remedial actions should be developed, communicated, implemented, and documented. Remediation should be tested to ensure it fully addresses the identified risk.
Each step of the privacy program should be documented and reported to appropriate internal and external stakeholders. Specific thresholds should be identified for escalation procedures. It is advisable to have a regular independent review of the program to ensure adequacy.
11. Where to Begin
Implementing privacy by design should be viewed as an organization-wide process. Establish a cross-functional governance structure to educate key stakeholders, including the Board. This body should drive the privacy program to ensure its success and continued operation. Privacy professionals should be consulted where the organization lacks clarity or requires assistance in program design. Developing a data privacy program under the auspices of legal counsel establishes a relationship with a trusted legal counselor and better prepares the startup for future incident response, breach notification, and potential litigation.