Privacy by Design | Risk | Deloitte


Privacy by Design

An important business enabler  

Privacy and data protection rules tend to be seen only as compliance hurdles, but when “engineered” into the fabric of the business they can significantly improve customer trust and boost revenues.

By Annika Sponselee, Data Privacy and Cyber Partner, Risk Advisory, Deloitte

Collecting, managing and using personal data effectively and legally is essential for all organisations and an important factor in their commercial success.

Recent technological advances mean that organisations have access to more data than ever before. This data is now much more valuable and should definitely be used. Just imagine the potential with all the technological advances still to come!

Data is the bedrock of commercial endeavour. With the right data, organisations can understand their data better, provide tailored services and generate more profit. However extracting value from data is fraught with pitfalls. The biggest is failing to comply with privacy and data protection requirements. A large-scale violation of privacy through the misuse, loss or breach of data will result in widespread loss of trust and a number of other serious commercial, reputational, legal and regulatory consequences.

The EU’s General Data Protection Regulation (GDPR) was introduced in 2018 and applies not only to EU organisations but also to non-EU organisations if they process the data of people living in the EU. With its strict rules and tough sanctions it has heightened awareness globally of the need to respect privacy and protect personal data.



Privacy Transformation

So how do you monetise data (personal data) while taking into account privacy and data protection rules? The answer is to ensure transformation into a “privacy resilient” organisation. That is the only way to strive towards compliance, wherever in the world your organisation is located. It means, among other things, adopting “privacy by design”, whereby privacy and data protection are “designed” or “engineered” into every aspect of an organisation’s processes.

Before embarking on the transformational journey, it is necessary to define a privacy strategy and define your target state before plugging the gaps so that the journey is approached in a risk-based, pragmatic way according to the strategy and vision of the organisation.

The journey itself must start by integrating the principle of privacy by design into all aspects of the organisation, which impact upon personal or sensitive data. This should include embedding privacy policies and processes including an understanding of how privacy technologies can provide operational efficiencies to support ongoing compliance.

Developing a privacy target operating model is a key activity to help define how the organisation moves towards privacy resilience and sustainability encompassing people, processes, policies and technology.

Other stages on the journey include setting requirements for data protection technologies, incident management, privacy assurance, data management, data subject and marketing management, third-party management, privacy ethics and data innovation, staff training and cultural change.

Once the transformation has begun and activities are embedded in business as usual operations, the benefits will flow and privacy will become an enabler. Organisations will notice the benefits of improved privacy risk management, greater resilience to data breaches and losses, cost-effective privacy processes, future-proofing against new regulations and technologies and brand protection, to mention a few. These outcomes need to be constantly assessed and improved, because privacy transformation is not a one-off activity, but rather a process of continuous improvement that needs to adjust to an evolving organisational business model and the ever-changing regulatory landscape.

Privacy transformation is not a new concept. Since GDPR was first mooted, there has been a significant increase in privacy transformation activities, and our expertise on the matter has been in great demand. Typically we see Chief Privacy Officers (CPOs) and Data Protection Officers (DPOs) in the EU enlist the support of their executive management and board. It is important that business leaders such as the Chief Information Officer (CIO), Chief Information Security Officer (CISO), Chief Data Officer (CDO) and Chief Compliance Officer (CCO) know the importance of respecting privacy and protecting personal data, while at the same time making use of the valuable personal data. The best way of doing this is to adopt a privacy by design approach.



Privacy Transformation - practical implementation

That is the theory. What about the practice? In simple terms, there are three key elements to a successful privacy strategy transformation.

Firstly, identify the gaps in your privacy management. These can exist in any of the various stages, or domains, outlined above. For example, the GDPR data retention rule says you cannot store data any longer than necessary for the purpose intended, yet many companies keep most of it indefinitely or for a fixed period. GDPR also requires companies to know exactly where every piece of data is stored, but many companies only have a limited viability regarding where their data is and how to manage it.

Secondly, commit to plugging those gaps by creating a privacy transformation programme, the key part of which should be embedding a privacy by design approach to avoid gaps when managing privacy across the organisation.

Finally, execute the programme, actively close gaps as they are identified and keep on reviewing and refining on an ongoing basis

If you follow these steps, your organisation will have tremendous insight into the data it processes and the ways in which such data can be used and monetised in line with privacy and data protection compliance. It will minimise the risks – the risks of data breaches, loss of customer trust, reputational damage, regulatory censure and revenue loss. Just as importantly, individuals’ confidence and trust in your organisation will increase, the brand will strengthen and opportunities for growth and development will materialise.




Deloitte Privacy NSE

More Information

For more information about this subject please do not hesitate to contact Annika Sponselee via the contact details below.

Did you find this useful?