Privacy by Design
Regulators, business leaders, and technologists all agree – an organization’s privacy efforts cannot be solely assured by compliance with regulations; privacy must become the default mode of an operation.
Privacy by Design: A Risk-Management Solution
Privacy by Design builds on the premise that privacy should be embedded into the design, operation, and management of IT systems, networks, and business practices in order to prevent privacy vulnerabilities and the potential for irreparable financial and reputational harm.
Originally developed by Dr. Ann Cavoukian, former Information and Privacy Commissioner of Ontario, Privacy by Design is now law under the EU’s General Data Protection Regulation (GDPR) and globally recognized as an ISO standard being developed by ISO/PC 317 Committee for Consumer Protection: Privacy by Design Consumer Goods and Services.
Privacy by Design is structured around 7 Foundational Principles, which exist as a baseline for robust data protection.
- Proactive not Reactive: Privacy by Design anticipates risks and prevents privacy invasive events before they happen.
- Privacy as the Default Setting: Personal data should be automatically protected – no action is needed by the user to protect their privacy – it is built into the system.
- Privacy Embedded into Design: Privacy is embedded into the design and architecture of IT systems, and becomes part of the product, service or processes’ core functionality.
- Positive Sum, Not Zero Sum: Privacy by Design avoids the false idea of trade-offs between privacy and security, showcasing that it is possible to have both.
- End-to-End Security: Privacy by Design embeds security into the system from the start, ensuring cradle-to-grave secure lifecycle management of information.
- Visibility and Transparency: Privacy by Design ensures operational execution aligns with policies. The end-user should know which data is collected, and for what purpose.
- Respect for User Privacy: Privacy by Design develops trust by choosing user-centric measures - strong privacy defaults, appropriate notice, and empowering user-friendly options.
Compliance with Privacy by Design allows an organization to achieve a “defensible” position. A Privacy by Design Certification demonstrates an organizations’ proactive, risk-based approach to achieving compliance and building a true due-diligence defence in the event of a privacy breach, investigation and/or complaint.
To view the Privacy by Design Certification Process, please click here.
Two-Step Process to Achieving Best-In-Class Privacy Standard
Obtaining a Privacy by Design Certification is a two-step process:
1. Assessment. Taking a holistic, risk-based approach, KPMG assesses an organization’s product, service, process or system using an assessment methodology structured around the 7 Foundational Principles of Privacy by Design, international privacy legal requirements (e.g. GDPR), privacy and security standards, and industry best practices.
The assessment is conducted through a set of interviews with key stakeholders and a review of documentation. An organization’s current privacy controls and information handling practices are reviewed to assess whether the organization meets the applicable criteria.
KPMG issues a Privacy by Design Assessment Report revealing a current state ‘snapshot’ of an organization’s privacy posture along with a roadmap that identifies gap remediations. Once the organization achieves a ‘clean report, without any gaps or deficiencies, it can proceed to Step Two of the certification process.2. Certification. An organization is eligible to be assessed by PECB MS, a third party certification body, which reviews KPMG’s Privacy by Design Assessment Report. If satisfied on its own criteria, PECB MS will issue a Privacy by Design Certification Seal for the organization’s product, service, process or system. The Certification Seal can be displayed on the company product offering for three years, provided that it continues to meet the obligations under Privacy by Design through PECB MS’ attestation process (to ensure against material changes).
Implement the Solution; Obtain the Results
Obtaining a Privacy by Design Certification, as a risk-based solution, leads to positive results. Privacy by Design certification serves as a valuable tool to achieve a “defensible position” and demonstrate a proactive risk-based approach to minimize risk and achieve compliance. It also serves as a competitive advantage to earning consumer trust and loyalty with new technologies, services, or processes.