Top 3 Steps: Privacy By Design

Article, Privacy Program

Privacy By Design – Starting Steps


The following steps will help your business start its privacy by design program with minimal impact on your current operations.

Keeping up with your business’ day-to-day needs is stressful and time-consuming. Unfortunately, not many small business owners have the time, energy or resources to learn the nuances of data regulations such as the General Data Protection Regulation (GDPR).

You need to comply with the laws to keep your business thriving. Still, you can’t fully devote yourself to learning the regulations, and candidly, you don’t have time to put every best practice recommendation into place.

If this sounds like you, or your business, this post will help you feel at ease with starting your company’s progress with privacy by design. Our goal is to give you practical steps to spend more time on the things you love, and less time worrying about data regulation fines that could cripple the company.

Privacy Impact Assessment

Privacy Impact Assessments are the best way to begin learning about how data regulations impact your business. Whether your company is a sole-proprietorship or you have 1,000+ employees, a Privacy Impact Assessment (PIA) will help you identify which laws apply to your business and where the risk points are within your data collection methods. Not only does this provide valuable insight into your data collection practices, it informs the systems you need to enter into your Data Inventory (#2 below).

Another added benefit for people in a compliance role at larger organizations is that PIAs allows you to get in front of colleagues you may not otherwise interact with during your day-to-day activities. By asking questions about their systems and data collection practices, you will learn about the risks, but you will also be seen as the go-to person for any questions that may come up regarding the data.

Establishing a PIA process will help keep your privacy by design program active and up-to-date.  

Following a rollout of the first PIA you’ll want to start a process by which you can support any changes in the process or introduce new systems. This is most applicable to organizations that often change technology vendors or have rapid updates to their services and software.

There are multiple points in the Software Development Life Cycle (SDLC) to introduce the PIA. Depending on your organization’s structure the right step will vary. For example, some find it best to ask Product Managers to submit a PIA during the ideation/discovery phase.

In contrast, others find it best for the development team to submit it after the technical requirements are finalized. Both approaches have pros and cons so it’s important to understand the operational processes of your business.


Create a Data Inventory

Simply put, a Data Inventory is a list of all the systems, vendors, and places your company stores data. A data inventory is not only required under the GDPR’s Article 30 but is essential to maintaining complaint customer records.

At first, this may seem like a daunting task, but small businesses are at an advantage over large organizations. They often will have more direct access to the systems and the inventory is often more centralized.

The Inventory can be created in many ways. Some organizations choose to start with a data map, a more visual representation of how each data set relates to others. In this approach, you would start with a high-level touchpoint to collect information on your customers.

Let’s take your website as an example, from your website, customers can contact you via a web form, and they can also sign up for your newsletter. Each of these would be a line item on your data inventory.

Keeping data inventories accurate will enhance all elements of your privacy by design a program. 

Other organizations choose to look at each data process and determine the data inventory by collecting data. An example of this method would be to ask, “how do customers sign up for our email newsletter?” The data process would be called ‘EMAIL SIGN-UP, then you would look at which system or vendor you use as your email marketing provider. This provider would then go into your data inventory as “EMAIL SIGN-UP VENDOR”.

Either method is a great starting point. The most important thing about data inventories is to make every best effort to capture each area where you collect data.


Privacy Policy vs. Privacy Notice


This is one of the most important yet misunderstood concepts surrounding a data compliance program. Typically most people are familiar with a Privacy Policy but most don’t fully understand what the term means. Both a Privacy Policy and a Privacy Notice are immensely valuable to the organization. Understanding them both and how and when to use them will give your organization an advantage when it comes to managing your data.

Privacy Policy

Put simplistically a Privacy Policy is how your organization defines its standards surrounding data collection and processing. A privacy policy is where you set guidelines for what is (and what is not) acceptable use of data. Having a strong Privacy Policy in place will give you a North Star to build a compliance program. The regulations will specify the laws, but the Privacy Policy will decide your organization’s interpretation and operationally address data practices.

According to the International Association of Privacy Professionals (IAPP), a Privacy Policy is defined as: “An internal statement that governs an organization or entity’s handling of personal information. It is directed at those members of the organization who might handle or make decisions regarding the personal information, instructing them on the collection, use, storage and destruction of the data, as well as any specific rights the data subjects may have. May also be referred to as a data protection policy.”

Privacy Notice

A Privacy Notice is what most people think of when they hear the term Privacy Policy. When you visit a website and see the page which specifies how the site collects and uses data, in practice, this is a Privacy Notice. Most of the time these terms are used interchangeably, but they have very different functions to privacy professionals and you should adopt an internal differentiation between the two. Creating the separation will help you more easily comply with all aspects of privacy law.

Again referring to the IAPP, a Privacy Notice is defined as: A statement made to a data subject that describes how an organization collects, uses, retains, and discloses personal information. A privacy notice may be referred to as a privacy statement, a fair processing statement, or, sometimes, a privacy policy. The General Data Protection Regulation requires a controller to provide a privacy notice before processing and specify in the privacy notice the legal basis for the processing and other details, such as the contact information for the organization’s Data Protection Officer. When relying on the legitimate interest ground, the controller must describe the legitimate interests pursued.


Privacy Impact Assessments help your organization define it’s Data Inventory. Privacy Policies is an internal playbook for your company’s data practices. Finally, privacy Notices explain your data practices to your site’s users and consumers.

Taking these steps will help your organization instill privacy by design into the company’s culture. 

Please reach out to us if you have any questions or need help setting up these best practices