Privacy By Design – Starting Steps
The following steps will help your business start its privacy by design program with minimal impact on your current operations.
Keeping up with your business’ day-to-day needs is stressful and time-consuming. Unfortunately, not many small business owners have the time, energy or resources to learn the nuances of data regulations such as the General Data Protection Regulation (GDPR).
You need to comply with the laws to keep your business thriving. Still, you can’t fully devote yourself to learning the regulations, and candidly, you don’t have time to put every best practice recommendation into place.
If this sounds like you, or your business, this post will help you feel at ease with starting your company’s progress with privacy by design. Our goal is to give you practical steps to spend more time on the things you love, and less time worrying about data regulation fines that could cripple the company.
Privacy Impact Assessment
Privacy Impact Assessments are the best way to begin learning about how data regulations impact your business. Whether your company is a sole-proprietorship or you have 1,000+ employees, a Privacy Impact Assessment (PIA) will help you identify which laws apply to your business and where the risk points are within your data collection methods. Not only does this provide valuable insight into your data collection practices, it informs the systems you need to enter into your Data Inventory (#2 below).
Another added benefit for people in a compliance role at larger organizations is that PIAs allows you to get in front of colleagues you may not otherwise interact with during your day-to-day activities. By asking questions about their systems and data collection practices, you will learn about the risks, but you will also be seen as the go-to person for any questions that may come up regarding the data.
Establishing a PIA process will help keep your privacy by design program active and up-to-date.
Following a rollout of the first PIA you’ll want to start a process by which you can support any changes in the process or introduce new systems. This is most applicable to organizations that often change technology vendors or have rapid updates to their services and software.
There are multiple points in the Software Development Life Cycle (SDLC) to introduce the PIA. Depending on your organization’s structure the right step will vary. For example, some find it best to ask Product Managers to submit a PIA during the ideation/discovery phase.
In contrast, others find it best for the development team to submit it after the technical requirements are finalized. Both approaches have pros and cons so it’s important to understand the operational processes of your business.
Create a Data Inventory
Simply put, a Data Inventory is a list of all the systems, vendors, and places your company stores data. A data inventory is not only required under the GDPR’s Article 30 but is essential to maintaining complaint customer records.
At first, this may seem like a daunting task, but small businesses are at an advantage over large organizations. They often will have more direct access to the systems and the inventory is often more centralized.
The Inventory can be created in many ways. Some organizations choose to start with a data map, a more visual representation of how each data set relates to others. In this approach, you would start with a high-level touchpoint to collect information on your customers.
Let’s take your website as an example, from your website, customers can contact you via a web form, and they can also sign up for your newsletter. Each of these would be a line item on your data inventory.
Keeping data inventories accurate will enhance all elements of your privacy by design a program.
Other organizations choose to look at each data process and determine the data inventory by collecting data. An example of this method would be to ask, “how do customers sign up for our email newsletter?” The data process would be called ‘EMAIL SIGN-UP, then you would look at which system or vendor you use as your email marketing provider. This provider would then go into your data inventory as “EMAIL SIGN-UP VENDOR”.
Either method is a great starting point. The most important thing about data inventories is to make every best effort to capture each area where you collect data.
Privacy Impact Assessments help your organization define it’s Data Inventory. Privacy Policies is an internal playbook for your company’s data practices. Finally, privacy Notices explain your data practices to your site’s users and consumers.
Taking these steps will help your organization instill privacy by design into the company’s culture.
Please reach out to us if you have any questions or need help setting up these best practices