Back to Privado blog

10 Steps to Implement Privacy By Design in your organization

Vaibhav Antil, CIPM
March 1, 2021

We are living in truly exciting times, indeed, where simple 1s and 0s can chalk out and reconstruct an individual’s entire online presence. You can use them for mapping out their demographic detail, location, preferences, etc., to capture their virtual image. However, in the wrong hands, this power can leave one sprawling through the back alleys of illicit activities. 

For this very reason, user and data privacy is progressively gaining importance day by day. 

In this post, we will take a look at Privacy by Design, especially in the General Data Protection Regulation (GDPR) context, and how to make it an integral part of any organization.

But First, What Exactly is Privacy by Design?


Concerns regarding data privacy are not new. The concept of prioritising user privacy over any other process for systems and technologies was discussed extensively in the 1970s before being formally adopted in the 1990s. Doctor Ann Cavoukian proposed the idea of Privacy by Design (or PbD), which stipulates the following seven foundational principles:

  1. Proactive not reactive; preventative not remedial.
  2. Privacy as the default setting.
  3. Privacy embedded in the design.
  4. Full Functionality - Positive-Sum, not Zero-Sum.
  5. End-to-End security - full lifecycle protection.
  6. Visibility and transparency - keep it open.
  7. Respect for user privacy - keep it user-centric.

Privacy By Design introduces a cultural change where privacy reigns supreme. Accordingly, several countries are formalising legislature to ensure greater compliance. The GDPR, introduced in 2018, is one such law that has PbD written into it (Article 25).

10 Actionable Ways to Integrate Privacy by Design Within Your Organisation

Here are some ways to incorporate Privacy By Design in your organisation’s framework:

 1. Announce Clear Privacy and Data Sharing Policies

Typically, websites can collect user information in two ways - automated and volunteered personal data collection. In the case of the former, the user willingly enters their information in your website forms. On the other hand, the latter occupies a greater share of data and uses cookies, tracking scripts, web beacons, etc. to identify and record your personal data.

As a result, your website should explicitly state the nature and purpose of personal information that it will collect through pop-up notifications, banner displays, etc. Moreover, the visitor must have the option to opt-out from sharing such details.

 2. Avoid Pre-Ticking Checkboxes

Checkboxes are one of the best ways to acquire explicit consent from your visitors for accessing and using their personal information. However, pre-ticking these checkboxes steal away from the choice a user may exercise. Hence, these boxes must always stay unchecked by default. In case the process cannot progress without their consent, a better practice would be displaying a prompt nudging them to tick the checkbox. 

 3. Incorporate Just-in-Time Notices


Privacy By Design principle #6 focuses on the visibility and transparency of your website components. Hence, you can use just-in-time notices to abide by this rule. Just-in-time notices instantly display short yet loaded snippets of details as the user enters their information in the form. It grants you the opportunity to share why you need the data and how you plan on using it.

 4. Minimise Data Collection

This strategy relies on the foundation of Privacy By Design and GDPR - collect and process the least amount of user data to minimise liability and possible impact on privacy in case of breaches. Data minimisation can take place in two ways - by limiting the volume of collected data or reducing the population size from organisations source data. Thus, you could choose to select/exclude a section of users or collect only the critical data.

 5. Honour Confidentiality

To support your organisation’s endeavour to be Privacy By Design compliant, you must focus on protecting confidentiality by restricting data observability. You can achieve it by limiting data access or sharing personal information only on a need to know basis. Additionally, you must also encrypt the data to prevent unauthorised access to data during transfer or in storage.

 6. Separate and Sort Data

Data separation and mixing are two of the smartest data protection techniques. You can use them as a buffer to minimise the risk resulting from a data breach. The former isolates data and stores it across the database to unlink it, while the latter groups together varied data types and subjects to remove any correlation. In either case, the independent data bits or consolidated chunks will obfuscate the intruder and prevent them from extracting useful information from it.

To automate creation of Data Mapping Sign Up here.

 7. Educate and Empower

Educating and empowering your users and maintaining transparency can be one of the best practices of data collection and usage. Make it a habit for your website to inform visitors on the kind of data being collected, the purpose of this data, and to what extent it may be shared with third parties. Such a measure also ensures compliance with Articles 13 and 14 of GDPR.

 8. Offer Control

In an age where businesses are proactive about privacy and customer-centricity, merely informing the visitor on their data rights is not enough. You must also offer them granular control over the data that they wish to share or curtail. Granting them the power to exercise consent, withdraw consent, update or retract information, and make choices will go hand-in-hand with the strategy to educate and empower.

 9. Enforce Compliance


To ensure regulatory compliance, organisations must have a well-defined, thoroughly documented privacy framework that is practically applicable. A privacy-centred work culture must motivate the management and all employees to actively participate in the creation, maintenance, and upholding of privacy.

 10. Demonstrate Respect for Privacy

Finally, there needs to be a mechanism to review the data and ascribe roles and responsibilities and fix accountability for how data is sourced and maintained. These authorities will record, audit, and report on the personal data processing systems and carry out a periodic evaluation for risk aversion and mitigation. In this manner, businesses can follow a well-documented process of Privacy by Design from scratch right up to the highest level.

Final Thoughts

According to a CISCO Consumer Privacy Survey (2019), 84% of the participants admitted to caring deeply about their data and want more control over how it is being used. Nearly half of these respondents also indicated that they would be willing to switch brands for more robust data protection and privacy policies. These statistics support the notion that privacy is not an after-thought. In fact, it must be the core motivator for introducing policy changes.

So, where does your organisation stand in this aspect?

Vaibhav is the founder of and a CIPM certified privacy professional.

Subscribe to privado newsletter

Get updates, articles and resources related to data privacy.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.