Kabir Barday the Chief Executive Officer of OneTrust, took to the GDPR summit London on January 30th, to discuss operationalising GDPR and privacy by design.
Privacy by design as a concept was first defined in Canada by Ann Cavoukian, information and privacy commissioner for the state of Ontario from 1997 right up to 2014.
The idea is that privacy forms a core part of a product or service, rather than as a bolt on extra. The GDPR regulation builds upon the concept pioneered by Ms Cavoukian.
The regulation requires that:
• Privacy protection is built into products through their lifecycle rather than as an after thought.
• The integration of necessary safe-guards.
• Asses risks of products and take steps to safeguard.
• Requires the most protective setting to be the default.
• To process only what is necessary.
In his talk, Kabir highlighted how GDPR puts emphasis on default for the most protective setting.
He then turned to the process of getting organised for GDPR, listing ten steps:
• Firstly, identify what data you already have, meaning know your data, your lists, vendors, and processes that you currently apply.
• Secondly, determine what you need.
• Thirdly, fill in the gaps, so that’s the difference between what you have and what you need. He said you need to assess readiness, update DPIAs (data protection impact assessments), map data, scan websites and then update privacy notices, facilitate data subject rights, manage contacts, assess vendors and asses contacts.
• Fourthly, identify triggers and embed privacy, he said that different business teams have different ways of working, so understand this and integrate with them.
• Fifthly, avoid jargon, remembering that business users don’t necessarily understand the terms that privacy or compliance officers use all the time.
• Number six, carry out a threshold assessment to determine high risk to individuals and then where a high risk is identified, carry out a DIA.
• Seven, keep things current by auditing what has changed, carry out ongoing assesments of vendors, and apply automatic scanning tools.
• Eight, figure out staffing. He suggested appointing privacy champions in HR, engineering, marketing, sales and finance.
• Nine, generate valuable reports and metrics, monitoring them and reporting findings to the product team, executives, the board and regulators.
• Finally, re-assessing constantly and then improving.
That’s quite the list, but then no one said that privacy by design was easy.
To find out more about GDPR Summit London, visit the website.