Data & Privacy - Privacy Transformation

Privacy by Design and by Default

Data privacy is key to any business due to regulations, such as the GDPR. Implementing the Privacy by Design and by Default principles in systems at an early stage can prevent subsequent problems and costly re-design.

Challenges

New technology? Legacy systems? Personal data is everywhere – how should you ensure privacy?

Regulatory expectations, such as the GDPR, are increasing the pressure on companies to place privacy considerations at the center of their decision-making and strategic process implementation, but it is also important to consider privacy in the development and implementation of technical solutions.

Common challenges in this area are as follows:

  • Privacy has not been considered properly at the various stages when designing and developing new systems. As a result, problems may arise that could prove substantially costly, allow key risk areas to go unnoticed or otherwise cause the organization not to have the regulatory or technical functionality expected of a modern business, which will affect its reputation and put it at risk of large fines.
  • Existing systems or legacy systems were designed at a time where there was less (or no) focus on data privacy and built accordingly. As such, they may lack features such as deletion, anonymisation of data, distinct data extraction, as well as vulnerable infrastructure.

  • Most businesses are undergoing digital transformations relying on applications and (personal) data for their operations. However, do your developers know exactly what to be aware of? The complexity of expected privacy settings can often turn into a business risk. Are matters such as pseudonymisation, encryption of data in transit and at rest, and the effect of processing activities properly assessed?

  • Data Protection Impact Assessments (DPIAs) are a key mechanism in managing privacy risks when developing new systems and processes. Knowing when to employ them, and which questions to ask within them, is key to managing potential high-risk activities, employing appropriate mitigating measures and securing data subjects’ rights.

At Deloitte, we understand how these problems can affect a business, and we have in-depth knowledge of and experience of making business processes and IT solutions comply with regulations, fulfill obligations towards stakeholders and protect data while being considerate of business needs.

Our approach

Deloitte offers a holistic range of tailored solutions to ensure that Privacy by Design and by Default measures mitigate privacy risks within your business while meeting the obligations expected towards citizens, customers and other stakeholders in a manner that minimises the day-to-day privacy strain on the business.

Deloitte offers a wide range of services relating to Privacy by Design and by Default:

  1. Ongoing assurance relating to new systems

    By actively participating in all phases of a transition to new systems, from planning to implementation, you can rest assured that all privacy-related issues will be duly raised, with tailored solutions designed to prevent unpleasant surprises from occurring in the future.

  2. Advice on existing systems (Privacy by Re-Design)

    By assessing the current state of existing or outdated systems, Deloitte is able to provide your business with a gap analysis and outline which improvement measures would be best to take. We are also available at the subsequent steps for developing and implementing improvements, and for discussing solutions with suppliers.

  3. Development and Training

    Through close cooperation with developers, architects, and project managers, training will be provided to identify and handle privacy situations that may arise from either the upgrade of older systems, or the implementation of new ones.

  4. DPIA

    Deloitte is able to prepare a customised DPIA for the consideration of high-risk processing activities. For example, where a processing activity uses sensitive personal data.

  5. Privacy Enhancing Technologies (PETs)

    Deloitte is able to select and assist in implementing technologies that protect personal data through techniques such as anonymisation, encryption, data masking, access management and the like.

  1. Ongoing assurance relating to new systems
  2. Advice on existing systems (Privacy by Re-Design)
  3. Development and Training
  4. DPIA
  5. Privacy Enhancing Technologies (PETs)

By actively participating in all phases of a transition to new systems, from planning to implementation, you can rest assured that all privacy-related issues will be duly raised, with tailored solutions designed to prevent unpleasant surprises from occurring in the future.

By assessing the current state of existing or outdated systems, Deloitte is able to provide your business with a gap analysis and outline which improvement measures would be best to take. We are also available at the subsequent steps for developing and implementing improvements, and for discussing solutions with suppliers.

Through close cooperation with developers, architects, and project managers, training will be provided to identify and handle privacy situations that may arise from either the upgrade of older systems, or the implementation of new ones.

Deloitte is able to prepare a customised DPIA for the consideration of high-risk processing activities. For example, where a processing activity uses sensitive personal data.

Deloitte is able to select and assist in implementing technologies that protect personal data through techniques such as anonymisation, encryption, data masking, access management and the like.

Why Deloitte?

Awarded market leaders

We strive to continuously lead the market in the area of cyber risk and security services. We are awarded and acknowledged by some of the most renowned institutions within the area of cyber, e.g. Gartner, ALM Intelligence and Forrester. In 2020, we were named global leader in Security Consulting Services for the 9th year in a row by Gartner.

Leading-edge technologies

We are committed to investing in innovation and emerging technologies to ensure that we are equipped with the latest tools to solve current and future challenges for our clients. Alliances with market-leading cyber vendors and groundbreaking startups around the world offer our clients access to a wide range of cyber-risk technologies and leading-edge technology innovation.

Global intelligence delivered locally

We have the largest professional services network in the world. Diversity across our cyber teams helps us work across the globe with a local and personal lens. We have over 8,600 dedicated cyber-risk service practitioners of which 1,300 are dedicated to Europe and the Middle East alone, ready to help our clients everywhere with any challenge.

End-to-end cyber-risk services

We cover every aspect of cyber risk — from advisory and implementation of strategic transformations to managed security services, product solutions and incident management. This enables us to deliver more resilient and silo-breaking solutions, taking the whole business chain into account. This helps our clients to leverage their potential and growth even more.

Reach out

If you require best-in-class service in relation to Data Protection by Design and by Default principles, please get in touch with one of our teams today.

We have the legal, business analytical and IT engineering capabilities required to minimise privacy risks in digital projects.

Tommaso Di Carlo

Senior Manager