Embedding Privacy by Design and Default
Overview
Glen Willis and Arthur Mansourian share a simple way to fold privacy into everyday delivery. Ask a few key questions up front, ship with default off settings, teach teams in plain language, and automate the parts that get forgotten. The result is steady progress without slowing work.
- Add privacy check points to sprints, design reviews, and security reviews.
- Collect only what you need, keep it only as long as you should, and limit access.
- Use default off for tracking and sharing, let users opt in.
- Give short role based training with clear checklists.
- Automate retention and common requests to reduce manual work.
Transcript
Glen Willis
Hello, I’m Glen Willis, Director of Cyber Technology at Kalles Group. I’m here with one of our wonderful privacy consultants, Arthur Mansourian. We’ve planned a series of topics to talk through that we hope you find helpful in understanding ways to set up for success with your privacy programs.
Arthur, let’s talk about privacy by design. As I deal with executives a lot in my role, whether it’s doing business development or leading delivery and those sorts of things, I think the initial reaction you’ll sometimes see is that this is an impediment to velocity, to project velocity, to delivery velocity. But there is a way to simplify this and strategically roll it out so it becomes a natural part of how delivery is done in an organization, whether that’s engineering delivery or something else. Give me the three or four really important things to get right in this area.
Arthur Mansourian
Yep, that’s a good point. It always comes up and it’s not always favorably met, as you say.
I think the first thing is making it as practical and natural as possible. So, the first step would be to make it part of the development process. You want to bake it in from day one. For example, if you’re developing a new app, program, or workflow, add privacy check ins from the beginning into the existing workflow, like during agile sprints, product design reviews, or IT security processes.
If you’re launching a new feature, just ask the basic privacy questions:
- What data is being collected
- What is essential to collect
- What can we avoid collecting
- How long should the data be kept
- Who should have access to it
These are the basic questions that help you think about privacy early on so it does not feel like a burden.
From there, build privacy into the default settings of an app, program, or feature. Make privacy friendly defaults the standard. For example, if location tracking or data sharing is involved, set the default to off and let users opt in rather than opt out.
Limit access by default. Only give permission to those who truly need it internally. The less data you collect, the lower your risks and the fewer chances something will go wrong.
Next, train the team to make privacy friendly choices. Privacy by design should be part of the whole culture, not just an IT or legal concern. Avoid legal or technical jargon, and use simple how tos, quick privacy sessions, or checklists.
Automate and standardize privacy wherever possible. Provide tools to make it easier, like pre approved data collection templates or built in data retention rules that automatically delete old data rather than relying on someone to manually clean it up.
These are the key steps to make privacy by design fit naturally rather than being a roadblock. It is all about early integration and automation where possible.