Dentons Privacy Community does Privacy by Design

We held a Dentons Privacy Community webinar on 10 June about “Embedding privacy by design and default into a compliance programme”.  We had a great panel discussion and wanted to share a summary of key takeaways from the session.

Where do you start with Privacy by Design and Default?

  • Prepare carefully: you need to know your business and its products well
  • Connect with your C-Suite; the leadership needs to know you as DPO and why privacy by design is key to customer trust and avoiding bad PR, fines, claims and expensive retro-fitting. The right tone at the top is essential
  • Spread the word via a network of Privacy Champions – they are your “eyes and ears” and can filter and identify issues that may need a DPIA
  • Get ready to evangelize privacy across your organisation: sell the need for privacy by design in town halls and internal communications. Get the message out

How do you operationalise a DPIA?

  • No “secret sauce” or single template
  • Keep it simple! Avoid over-complex templates. If it is too complex, you and the business won’t use it
  • Consider using only a few basic questions as a DPIA starter, and then expand during the process as needed based on complexity and risks
  • There needs to be a “trigger” to activate the DPIA; you could embed this in the SDLC, agile software or procurement process
  • Structure DPIA forms to channel the user to relevant questions / eliminate requests for irrelevant information    
  • Identifying pure business changes is harder: rely on the Privacy Champions to help identify this as needing a DPIA or data privacy input
  • Consider third party DPIA tools – but they will need customisation and road testing
  • Consider embedding Legitimate Interests Assessments within DPIA
  • Decide whether to make your language GDPR-based (e.g. talking about DPIAs) or more global (e.g. talking about privacy assessments). Consider how best to get buy-in
  • Bake in privacy controls to the product development lifecycle

How do you manage the Privacy Champion network?

  • Ensure proper training is in place with regular meetings and input from the Privacy Champions
  • Tie into HR appraisals, rewards and objectives
  • Set limits on the commitments required of Privacy Champions so the role is not over-burdensome
  • Consider a “proximity approach”: assess the right number of privacy champions and sub-delegation to more operational staff
  • Consider data custodians and system owners who are responsible for specific data processing activities – they work with the Privacy Champions

How does local culture affect this?

  • Take account of cultural approaches: there are differences within EU and across US States and other jurisdictions
  • Consider whether you apply GDPR globally as starting point.  Many deploy more region-specific frameworks
Subscribe and stay updated
Receive our latest blog posts by email.