Dear Reader,
I’m so happy that your interest in promoting privacy has led you to here. Before we go any deeper on what “privacy by design” is, it’s important to rewind understand why we are here in the first place.
Privacy is essential to our future
Privacy provides protection for our personal information. It gives us autonomy, an ability to make decisions about how it is used and shared. It allows us to exercise our fundamental rights and freedoms.
Without privacy, individuals and communities are subjected to surveillance, tracking and manipulation. In turn, these lead to oppression, discrimination and the abuse of power.
With privacy, we are free to innovate, create and support diversity by allowing people to explore, experiment and express themselves without fear.
It’s clear that (a lack of) privacy is key factor in our quality of life. Therefore, as technology continues to advance and shape our lives, it is of paramount importance that we prioritise privacy as a fundamental value and work to safeguard it through legal, technological and social means.
Privacy is everyone’s responsibility
Every organisation is continuously collecting and processing personal information. It is the fundamental key to almost all operations.
As a responsible individual in your organisation, you have a responsibility to work towards safeguarding our privacy. This responsibility arises from several factors, including:
legal requirements,
ethical considerations, and
practical concerns related to maintaining trust and credibility with your customers and partners.
1. The Law
Your organisation has a legal obligation to protect personal information under the data protection regulations that apply to you. You must be aware of these legal requirements and take appropriate steps to ensure your compliance. The applicable regulations may come from locations other than your own, especially if you serve customers in other locations where their local regulations have an extra-territorial effect, such as EU customers and the General Data Protection Regulation (GDPR).
2. Ethics
Your organisation has a responsibility to protect personal information based on ethical principles and values, rather than just complying with legal requirements. This includes respecting the individual privacy rights of your customers, being transparent about your data collection and use practices and ensuring that use is only for legitimate purposes. While they are not always enforceable by law, your ethical obligations are set by community, societal and intdustry expectations, and as such they are subject to judgement and scrutiny by the general public. Failure to meet these expectations can significantly impact your organisation’s reputation, trust, and long-term success.
3. Trust
Your organisation must safeguard personal information in order to maintain trust and credibility with customers and partners. Mishandling and misusing personal information can harm your organisation's reputation, cause loss of business, and result in legal liability. High-profile data breaches in the news frequently demonstrate the erosion of trust that occurs as a consequence.
Privacy by design
When an organisation adopts privacy by design principles, it means that they design their products, services and processes considering privacy from the very beginning. This means incorporating privacy into every aspect and every phase of the lifecycle of activities and fundamental operations of the organisation.
Let’s consider a few scenarios. Just imagine…
…having to provide sensitive personal information regarding your health or finances, but the company doesn’t have appropriate controls in place to protect that information from unauthorised access and misuse, such as fraud or theft.
…wanting to use a service that collects information about you, but you can’t find any details about that information is being used or protected.
…providing your personal information to a company, only to later discover they sold it to third-party advertisers.
…seeking to exercise your privacy rights to the deletion of your personal information, but the service holding it doesn’t have a clear process for handling such a request.
…using a mobile app that needed access to your precise location, but there is no information about the app’s data collection practices.
Most of these should not be too far-fetched for your imagination, and many seem more likely if the others were true.
Now imagine if these organisations needed a “license to operate” personal data, meaning that they required a document as part of their overall strategy for ensuring privacy, demonstrating their compliance with relevant laws and regulations.
It all starts with your privacy policy
When an organisation implements privacy by design principles, the privacy policy becomes a committment to their customers and regulators, and a roadmap for their developers, designers and delivery teams.
More than just a legal requirement or statement of intent about the organisation’s data protection practices, a privacy policy is a key component of privacy by design.
It outlines the processes of collection, use, sharing and protection of personal information. It serves as an essential tool for transparency and accountability, providing customers with information about their privacy rights and helps to establish trust between the organisation and its customers, which is essential for maintaining a positive reputation and sustaining long-term success.
A well-crafted privacy policy reflects the values of your organisation and your commitment to data protection. It should explain in clear and concise language what information is being collected, why it is being collected, how it will be used and how it will be protected.
A clear and comprehensive privacy policy allows your organisation to ensure that privacy considerations are part of your products, services and processes from the outset. This helps you to identify and address privacy risks earlier and reduce the risk of costly and damaging data breaches and privacy violations. It will also help to build trust with your customers and partners, who are increasingly aware of the importance of data protection. They are more likely to engage with organisations that prioritise privacy.
In Privacy by Design: The Practitioner’s Handbook we will together examine every aspect of the principles you must incorporate in order to obtain and maintain your licence to operate personal data.