How Startups Can Implement Privacy by Design

In their rush to market their products or services, many startups inadvertently overlook potential legal obligations. For startups, overlooking privacy and data protection could be extremely costly.

This article was originally published on UpCounsel, By UpCounsel Privacy Attorney Michael Witt

Privacy by Design GDPR

In their rush to market their products or services, many startups inadvertently overlook potential legal obligations. For startups, overlooking privacy and data protection could be extremely costly. These costs could arise from system redesign and development activities and fines, particularly from the European Union’s new General Data Protection Regulation (GDPR)that goes into effect May 25, 2018. Fines under the GDPR may reach as high as 4% of global revenue or $20 million dollars in situations in which the breached entity has ignored its privacy obligations.

To avoid such penalties, startups should seek to implement “privacy by default” (or design) from the outset. This is a specific requirement of the GDPR, but should be combined with all other legal, contractual and voluntary obligations like ISO and other frameworks.

1. Compliance Risk Assessment

The first step is essentially a compliance risk assessment to determine criticality and prioritization to drive future action.

2. Privacy Impact Assessment

The compliance risk assessment is focused on the information security of the organization. A Data Protection Impact Assessment (DPIA) is required to assess the potential risks to the “rights and freedoms” of the covered data subjects as their data is processed by the startup. The DPIA’s requirements and nuances are addressed in Article 35 of the GDPR and Working Paper 29.

3. Privacy by Default Architecture

After understanding the potential privacy risks inherent in the data processing, the system should be designed to minimize the data collected, delete data when no longer required for its original purpose, give access to the data subject, and give individuals control over how much data is shared with other organizations. The design principle in each of these areas should be construed to maximize the data subject’s privacy, not the processor’s anticipated benefit. Decisions, rationale, and resulting actions should be documented and maintained for each system to be revisited as part of the required DPIA process.

4. Assignment of Responsibilities

Data privacy programs typically fail for two reasons: 1) Lack of executive support, or 2) Risk ownership is missing. The policies should be structured to clearly assign responsibilities and communicate that data subject privacy is everyone’s responsibility. This begins at the Board and executive level and this “tone at the top” should permeate down to all levels of the organization. The privacy risks identified in the DPIA should have owners clearly assigned to mitigate and monitor those risks. Accountability should be distributed across the organization where it makes the most sense. It cannot lie with IT, Legal, or HR alone.=

5. Privacy Safeguards

To support the “privacy by design” architecture, controllers and processor must identify the appropriate administrative and technical safeguards to implement. These should first be reduced to policies and other process documentation appropriate for the organization’s size and scope of processing. The policies should outline management’s intent to implement, monitor, and enforce the privacy safeguards.

6. Technical Safeguards

Article 32 requires the controller and process to implement “appropriate technical measures” appropriate to the risk. Common technologies used to protect privacy include tools that:

  • Map data flows
  • Map devices and networks
  • Identify and track assets
  • Control access
  • Secure the network perimeter
  • Encrypt data in-transit and at-rest
  • Secure servers and endpoints
  • Identify malware
  • Prevent data leakage and exfiltration
  • Log and aggregate security incidents
  • Restore the availability and access to personal data
  • Manage the consent lifecycle

7. Training

All users should be appropriately trained based on their role and potential access to data. This training should be conducted at the time of hire and continually enforced thereafter. Training content should specifically focus on the controller’s system, implemented safeguards, and data subjects’ privacy risks.

8. Monitoring

Privacy by design cannot be sustained without a process for regularly testing, assessing and evaluating the effectiveness of the privacy safeguards. A monitoring plan should be developed to ensure continuous security of the data processing. The plan should include the scope, methods, roles, frequency, and reporting or escalation procedures. Implement and execute the monitoring plan to provide continuous improvement of the privacy safeguards. The risk owner and other stakeholders should collaborate to determine whether any external notification is required.

9. Remediation

Monitoring results need to be analyzed to determine the root cause of any deficiency. Once analyzed, remedial actions should be developed, communicated, implemented, and documented. Remediation should be tested to ensure it fully addresses the identified risk.

10. Reporting

Each step of the privacy program should be documented and reported to appropriate internal and external stakeholders. Specific thresholds should be identified for escalation procedures. It is advisable to have a regular independent review of the program to ensure adequacy.

11. Where to Begin

Implementing privacy by design should be viewed as an organization-wide process. Establish a cross-functional governance structure to educate key stakeholders, including the Board. This body should drive the privacy program to ensure its success and continued operation. Privacy professionals should be consulted where the organization lacks clarity or requires assistance in program design. Developing a data privacy program under the auspices of legal counsel establishes a relationship with a trusted legal counselor and better prepares the startup for future incident response, breach notification, and potential litigation.

Build Thoughtful Software
Fahad Shoukat
Written by

Fahad Shoukat

Fahad has a B.S. in Electrical Engineering and an MBA. He brings over 15+ years in Business Development, Strategy, Sales, Product, and Marketing in various industries such as software development and Internet of Things (IoT). His experiences have led him on an unwavering pursuit to meet thoughtful people and build thoughtful software.