Privacy Governance And Accountability

Transcript

Glen Willis

Hello, I’m Glen Willis, Director of Cyber Technology at Kalles Group. I’m here with one of our wonderful privacy consultants, Arthur Mansourian. We have planned for you a series of topics to talk through here that we hope you all find helpful in understanding ways to set up for success with your privacy programs.

Arthur, let’s talk about privacy by design. As I deal with executives a lot in my role, whether it’s doing business development or leading delivery and those sorts of things, I think the initial reaction sometimes you’ll see is that this is an impediment to velocity, to project velocity, to delivery velocity, right? But there is a way to simplify this and to strategically roll this out in a way that can become a very natural part of the way delivery is done in an organization, whether that’s engineering delivery or something else, right? Give me the three or four kind of really important things to get right in this area.

Arthur Mansourian

Yep, that’s a good, good point. Always comes up. It’s not always favorably met, as you say.

I think some of the first things, it’s really making it as practical and kind of natural as possible. So I think the first thing would be to make it a part of the development process. Of course, you want to make it wherever possible as part of it from day one. So bake it into the process from the very start.

For example, as you’re developing a new app, let’s say, or a new program or a new workflow, you want to add those privacy check ins from the beginning into the existing workflow. So let’s say add it into the agile sprints, the product design review, the IT security process. If you’re launching a new feature, just ask yourselves the basic privacy questions like: What data is being collected? What is really important that has to be collected? What can we not collect that we don’t necessarily need? And then how long should that data be kept? Who should be able to access it?

I think these are the three most basic privacy questions that should be asked and that’s what really helps you think about privacy early on so it doesn’t feel like that burden.

From there, just building the privacy into the default settings of an app or program or feature. So make it privacy friendly as the default choice. Let’s say you’re launching a new app, there’s location tracking involved or data sharing involved. Make the default feature off and instead let the users opt in rather than opting out. So you’re limiting the access by default. Only giving permission to those who really need it internally. The less data you collect, the less your risks are, and the lower the chances something’s going to go wrong.

So that’s the kind of first things I’ll look at. Then also just training the team to make privacy friendly choices. Privacy by design should be part of the whole culture, not just IT or legal. And instead of using legal jargon or privacy jargon, make it easy for everyone to understand with simple guides, quick privacy sessions sometimes, or checklists.

Then just automating and standardizing privacy wherever possible. Providing tools and setups to make it easier. For example, a pre approved data collection template, that’s something that I’ve seen used a lot. Or building in data retention rules to automatically delete old data instead of relying on someone to manually clean it up and potentially forget or miss something.

So I think these are really important to make it fit naturally rather than being a huge roadblock. It’s all about that early integration and automation where possible.