How-to guide: How to implement privacy by design within your organization (USA)

Introduction

This guide will assist in-house counsel and risk and compliance teams with building a culture of ‘privacy by design’ in their organization, and private practice lawyers when advising their clients on the same.

This guide covers the following:

Definition of privacy by design
Development and implementation of a privacy by design program
Building a culture of privacy by design

This guide can be used in conjunction with the following resources – How-to guides: How to determine and apply relevant US privacy laws to your organization and How to manage third party supply chain data privacy, security risks, and liability; Checklist: Privacy and data security law training and Quick view: Key data privacy and data security terms.

Section 1 – Definition of privacy by design

1.1 What is privacy by design?

Privacy by design (PBD) is an approach to systems engineering and business processes that aims to ensure that privacy is incorporated into the design of technologies, systems, and processes through the entire process of development. The approach was first developed in the 1990s by Dr Ann Cavoukian, the former information and privacy commissioner of Ontario. Dr. Cavoukian stated that PBD was developed ‘to address the ever-growing and systemic effects of Information and Communication Technologies, and of large-scale networked data systems,’ and consists of seven principles. PBD is based on the idea that the future of privacy will not be assured solely through compliance with regulatory frameworks. Privacy assurance should ‘ideally become an organization’s default mode of operation.’ Since then, PBD has gained traction around the world as a best practice for data protection.

It is inaccurate to think of PBD as a risk-management system for personal data. The proactive nature of PBD sets the goal as prevention. While mitigation of the harm from a violation of privacy may become necessary, minimizing the occasions when mitigation is necessary is the purpose of PBD.

1.1.1 Who should implement privacy by design?

No US jurisdiction has enacted a law to require PBD.

The American Privacy Rights Act (APRA) of 2024 was Congress's latest effort to establish a comprehensive consumer privacy law. Unlike existing sector-specific federal privacy laws, APRA aimed to regulate data privacy across all industries.

APRA would have required covered entities to comply with five requirements: (1) data minimization, (2) privacy by design, (3) transparency, (4) reasonable data security, and (5) appointing a privacy and data security officer. The PBD provision called for covered entities to adopt reasonable policies, practices, and procedures.

APRA did not pass the Senate before the adjournment of the 2023-24 session, and its future prospects are uncertain. The concept of PBD has, however, remained important due to increasing pressure for a cohesive privacy framework, as 20 states have enacted their own privacy laws since 2018, creating a complex compliance landscape. Federal legislation, such as the APRA, would standardize privacy rights and business obligations nationwide.

The US Federal Trade Commission (FTC) has incorporated elements of PBD into their March 2012 Privacy Framework. That framework addressed the seven principles of PBD and concluded that ‘[c]ompanies should maintain comprehensive data management procedures throughout the life cycle of their products and services.’ The framework also highlights that companies should only collect data that is necessary to accomplish a specific business objective and should dispose of such data in a safe way following the business achieving that objective.

The FTC Framework is not a formal regulation, and companies are not legally required to implement its recommendations. Instead, it is ‘meant to encourage best practices and is not intended to conflict with requirements of existing laws and regulations.’ If there are parts of the framework that exceed, but do not conflict with, existing statutory requirements, entities covered by those statutes should regard the framework as setting out best practices for the promotion of consumer privacy.

The purpose of this guide is to provide general information necessary for the implementation of PBD within your organization, rather than addressing the specific requirements of, or guidance relating to, any specific laws.

Furthermore, legislation introduced in Congress in 2022 – the American Data Privacy and Protection Act HR 8152 – would have required entities covered by the Act to implement PBD measures, but that bill did not pass before Congress adjourned at the end of 2022, and has not been reintroduced.

PBD is, however, an essential part of compliance with certain foreign laws, for example, the European Union’s General Data Protection Regulation (GDPR). Article 25 of the GDPR requires controllers of data:

both at the time of the determination of the means for processing and at the time of the processing itself, [to] implement appropriate technical and organizational measures ... which are designed to implement data-protection principles ... in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of [the GDPR] and protect the rights of data subjects.

PBD is therefore mandated by the GDPR for organizations that are subject to its extra-territorial jurisdiction (ie, those who carry out processing activities related to the offering of goods or services to data subjects in the EU or the monitoring of the behavior of data subjects in the EU, as far as their behavior takes place within the EU).

Irrespective of whether there is a legal obligation to implement PBD, PBD is regarded as a best practice for all organizations, of any size, that process data. The nature of the measures to be taken for PBD will vary, according to the size of the organization, the type and quantity of data it processes, and the technology used.

1.1.2 The benefits of privacy by design

PBD helps organizations to reduce the risk of privacy breaches, and the legal liability and reputational damage that flows from such breaches. PBD can also ensure that individuals’ privacy rights are respected throughout the entire data processing life cycle because security and privacy are embedded into the organization’s products and services at the outset. Accordingly, the PBD approach helps foster trust between organizations and the members of the public with whom they do business – something that is growing increasingly important as data privacy concerns continue to grow.

Furthermore, PBD encourages a proactive rather than reactive approach to privacy. Instead of addressing privacy concerns after a breach has occurred or a product has been launched, PBD mandates that privacy considerations are integrated into the design and development phases. This foresight not only minimizes potential vulnerabilities but also streamlines compliance with evolving privacy regulations globally, saving organizations significant resources and fostering a culture of privacy awareness from the ground up.

1.2 Foundational principles of privacy by design

PBD is based on seven foundational principles, each of which is described below.

1.2.1 Proactive not reactive; preventative not remedial

PBD does not focus on mitigating the harm caused by a data breach. Instead, the goal is to mitigate the risks of harm by anticipating and preventing invasions of privacy before those invasions can happen. The focus of PBD is on before-the-fact actions, not after-the-fact cures. To that end, organizations should implement measures that will help to both identify possible threats to data security and anticipate their incidence so the organization may take the most appropriate and effective action. As Benjamin Franklin said, ‘An ounce of prevention is worth a pound of cure.’

1.2.2 Privacy as the default setting

PBD ensures that personal data will be automatically protected in any system or business practice. If an individual does nothing, their privacy will remain intact. The individual does not need to do anything to protect their privacy − it is built into the system, by default. PBD is based on the following practices:

specifying the purposes for which personal information is collected, used, retained, and disclosed, and communicating those purposes to the individual who is the subject of the data at or before the time the information is collected;
limiting the collection of personal information to that which is fair, lawful, and necessary for the specified purposes;
minimizing the collection of personally identifiable information;
limiting the use, retention, and disclosure of personal information to the relevant purposes identified to the individual, for which they have consented, unless otherwise required by law. Personal information is to be retained only as long as necessary to fulfill the stated purposes, and then securely destroyed;
ensuring that personal information is accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used; and
implementing robust security safeguards to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification, regardless of the format in which it is held.

1.2.3 Privacy embedded into design

PBD makes privacy integral to the system without diminishing the functionality of the system. Privacy is not an add-on; it is an essential component of the system infrastructure. The broader contexts of privacy – for example, the interests or persons to be protected – must be considered, and all stakeholders should participate in the design process. The embedding may require adaptation of existing privacy protections, or it may require scrapping them altogether and implementing something new. Further, the use of risk assessments and privacy impact analyses should be included within the organization’s key objectives.

1.2.4 Full functionality — positive-sum, not zero-sum

PBD is intended to promote privacy while satisfying all of the other legitimate goals of an organization. There should be no trade-off between privacy and functionality. All stakeholders should be able to realize their goals for the organization. A zero-sum approach to privacy, in which privacy is regarded as an impediment to profitability or efficiency, should be rejected. A positive-sum approach requires the clear documentation of all interests and objectives, the articulation of desired functions, and the application of agreed-upon metrics. Such an approach allows stakeholders to make conscious decisions regarding the incorporation of privacy while not losing sight of other goals or compromising other systems and procedures.

1.2.5 End-to-end security — full life-cycle protection

Without security, there is no privacy. Privacy must be protected continuously throughout the life cycle of the data held by the organization. PBD calls for the secure retention of all data, and then timely and secure destruction at the end of the process of developing a product or service. In order to ensure security, entities should assume responsibility for the security of personal information commensurate with the degree of sensitivity of the data and consistent with standards developed by recognized standards development bodies. The security standards that are applied or developed must ensure the confidentiality, integrity, and availability of personal data.

1.2.6 Visibility and transparency — keep it open

As the old proverb says, ‘Trust, but verify.’ All stakeholders should know that any business practice or technology is truly operating according to its stated promises and objectives, including those related to privacy. Component parts and operations of a system should remain visible and transparent, to both users and providers. Visibility and transparency will establish accountability and trust. PBD places special emphasis on the principles listed below.

Accountability – collecting personal information entails a duty of care for the protection of that information. Responsibility for all privacy-related policies and procedures must be documented and communicated, and should be assigned to one specified individual. If personal information is to be transferred to third parties, privacy protection should be secured by contractual means.
Openness – information about the policies and practices for the management of personal information must be made readily available to individuals.
Compliance – complaint and redress mechanisms should be established. The means for accessing and taking advantage of those mechanisms must be communicated to the individuals whose data is collected. Steps must be taken to monitor, evaluate, and verify compliance with privacy policies and procedures.

1.2.7 Respect for user privacy — keep it user-centric

PBD makes the interests of the individual a top priority. Respect for user privacy involves offering strong privacy defaults, appropriate notice, and user-friendly options. The best PBD results are those consciously designed around the interests and needs of individual users while giving users more control over the use of their personal information. Respect for user privacy relies on the principles listed below.

Consent – free and specific consent is required for the collection, use, or disclosure of personal information, unless otherwise permitted by law. Consent may be withdrawn at any time.
Accuracy – personal information must be as accurate, complete, and as up-to-date as needed to fulfill the specified purposes.
Access – individuals must be allowed access to their personal information, and must be informed of its uses and disclosures. They must be provided the opportunity and means to challenge the accuracy and completeness of the information, and to have that information amended as appropriate.
Compliance with PBD principles – organizations must establish complaint mechanisms, and communicate information about them to the public.
The individual must be at the center of operations that involve collecting personal data. Human–machine interfaces must be human-centered, user-centric, and user-friendly.

Section 2 – Development and implementation of a privacy by design program

Developing and implementing PBD starts with an organization’s commitment to the idea of PBD. This commitment will make the adoption of specific measures seamless, and less disruptive to the organization. This commitment takes the shape of understanding when PBD should be considered, who will play a role in PBD, and how it should be developed and implemented through processes and systems.

2.1 When privacy by design should be considered

The underlying principle of PBD is that privacy is ‘baked into’ an organization’s process. In other words, PBD is not an addition to the process, it should always be a foundational part of the process. The elements of PBD should be in place before personal data is collected.

New product offerings may implicate new privacy concerns. The mechanisms for privacy protection that an organization has in place may prove inadequate to meet the needs or concerns of a new set of customers or persons whose data may be collected or processed. The development of the new product should therefore include consideration of the potential for invasions of privacy, and incorporate protection against those invasions into the design and development of the new product.

Ideally, PBD will have been implemented before data is processed. However, an organization that decides to do so after it has begun collecting data will still be able to implement PBD for existing and new processes and products. For example, an organization could develop a new, more stringent policy for requiring consent for the use or disclosure of information, including information that has already been collected. The new policy could also include an explicit means for revoking consent. If the organization is in compliance with existing laws and rules regarding data security, the organization has already made a start towards PBD, in that existing laws incorporate many PBD principles, such as requiring consent for the use or disclosure of personal information.

2.2 Who should be involved in privacy by design?

All stakeholders in an organization – particularly those whose duties include collecting, storing, or processing personal data – will be involved in PBD. Some stakeholders will have a more prominent role in the development and management of a program than others. These stakeholders include those listed below.

Data protection officer/advisor/chief information officer (CIO) – overall oversight of PBD rests with the person in the organization responsible for implementing privacy protections. If the organization has a dedicated data protection officer (which is a requirement for organizations subject to the GDPR) or data protection advisor, that person is the obvious choice. If not, the CIO should be given the responsibility.
Privacy engineer – a privacy engineer is an important, if not essential, part of the implementation of PBD. Privacy engineers build the tools and processes to apply privacy protections. Privacy engineers assess privacy risks and design clear privacy controls, among other functions. PBD’s focus on being proactive and preventing privacy violations makes the identification of risks and the design of controls vital to the success of the program.
Legal and compliance teams – these teams are crucial for interpreting relevant privacy laws and regulations (like GDPR, CCPA, etc.) and ensuring that the PBD framework aligns with legal requirements. They provide guidance on data handling, consent mechanisms, and breach notification procedures, helping to mitigate legal risks.
Product development and design teams – since PBD emphasizes embedding privacy from the outset, these teams are directly responsible for incorporating privacy controls into the design and functionality of products and services. They work closely with privacy engineers to ensure privacy-enhancing features are integrated seamlessly and effectively.

Other stakeholders will have responsibility for implementing and overseeing parts of the process, and providing feedback as to how the process is working and whether there are changes or improvements to be made. See further section 2.3.2 below.

2.3 Developing privacy by design processes

The processes involved in developing and implementing PBD are proactive and geared towards prevention rather than remediation. Organizations should ensure privacy is incorporated in technology, procedures, and practices from the earliest stages of their development.

2.3.1 Identify risks

Identification of the risks an organization faces is the first, and perhaps most crucial, step in implementing PBD. The risks to privacy cannot be addressed unless they are first identified and understood.

See further, Checklist: Completing a data privacy risk assessment.

2.3.2 Allocate responsibilities – IT, legal, procurement, sales, etc

While there should be one person in the organization who oversees the overall implementation of PBD (see section 2.2 above), the need to include privacy in all aspects of a process means that numerous personnel connected with an organization will need to be involved. For example, while the IT team is the best equipped to address the technical requirements of PBD, and the legal team is able to advise regarding compliance with the applicable laws and regulations, the sales team will be able to provide insight into customer concerns, as well as the operational issues of the PBD program.

2.4 Implementing privacy by design processes

2.4.1 Document processing

When it comes to PBD, less is more. Less data being processed, or less processing done with that data, means fewer opportunities for a privacy breach or violation. The PBD program should keep data processing, as well as data collection, to the minimum amount necessary for the purposes for which the data was collected.

2.4.2 Adopting privacy controls throughout the design process

Privacy controls should be adopted as part of the design process, geared towards guarding against the identified risks, and developed to protect the particular data being processed. The privacy controls for an online retailer, for example, will be different from those implemented by a medical practitioner because of the different types of data collected, the different privacy concerns involved, and the different uses of the data being collected. Such controls may include the following.

Encryption

Encryption of personal data is a standard practice for most organizations that handle personal data. It is a familiar operation, and one that should be a part of any PBD program.

Anonymization

Anonymization removes information from a record or document that could be used to identify the subject of the record or document while still retaining the data. For example, an anonymized medical record will have the patient’s name, address, and date of birth removed while the physician’s diagnosis will be retained. Anonymization is essential if data is retained for uses other than direct transactions or interactions with the subject of the data (for instance, if records are kept for statistical or research purposes).

Other measures

Other measures that might be taken include authentication, regular testing for vulnerabilities, and deleting data when it is no longer needed. As noted, the precise measures depend on the data being used or processed, and the function of the organization.

2.4.3 Recordkeeping

Processing activities should be documented, and records of those activities should be kept. This will help ensure compliance with the program by allowing oversight of what is being done on a day-to-day basis. Recordkeeping will also help identify flaws or weaknesses in the system as they happen.

2.4.4 Staff training

As with any new or changed process, training of the personnel who will be working with or in the process is essential. Staff training for PBD takes on a different dimension, as it is not merely training in the rote or mechanical processes of a system. The training should include a description of why PBD is being implemented, and how it will be a part of the entire operation of the organization. The focus on the individual whose data is being collected or processed should be emphasized.

As a part of their training, employees should also be encouraged to report vulnerabilities that they see in the day-to-day operation of the system. Employees should also be encouraged to suggest improvements or enhancements, for instance by offering rewards such as bonuses or non-monetary gifts for their suggestions.

2.4.5 Ongoing monitoring and assessment

PBD is a continuous process. It is not enough to establish a program and declare that it has been implemented. There should be ongoing monitoring and assessment of all of an organization’s systems to ensure that those systems comply with legal and regulatory privacy requirements, as well as industry privacy and security standards, and corporate policies.

Self-assessment, or internal review, is part of implementation of PBD, and also a part of risk management. Self-assessment will provide the organization with a view of how well the system is functioning, and how well staff have managed to make it a part of operations. Self-assessment is also the best way to find ways to improve the system.

A PBD program should be monitored continuously, to ensure effectiveness as well as compliance. Monitoring should include input from the personnel charged with the ongoing operations of the system.

Continued self-assessment

As discussed above, self-assessment is a vital part of PBD. The self-assessment should be unsparing, and should be done on a continual basis, rather than only at designated review times.

Outside auditor/reviewer

Outside auditors or reviewers will help give an honest and unbiased evaluation of the PBD system. Accordingly, organizations should consider the use of outside auditors and reviewers to ensure the PBD system is both effectual and ideal for the particular organization and the data it processes.

Testing system

‘Set a thief to catch a thief.’ There is no better way of determining if a system is vulnerable to a breach than by trying to cause a contained breach. Cybersecurity professionals will know the ways in which a system may be breached and will demonstrate the areas that are susceptible to exploitation.. They should also be able to demonstrate successful ways of guarding against that exploitation.

Section 3 – Building a culture of privacy by design

PBD is not a ‘one-and-done’ type of program. It is a part of the entire process, and deals with data over the entire life cycle of the data. Inertia, and allowing the system to fade into the background of organizational life, will defeat the entire purpose of the program, therefore it is important to build a culture of PBD within your organization.

3.1 Commitment to PBD

Senior management must be committed to PBD, and must make clear that they share the goal of making privacy an integral part of the corporate culture. All personnel should understand that privacy is an essential part of the organization’s values and mission.

3.2 Training

PBD may be an unfamiliar concept to many. Likewise, the importance of PBD may not be well-understood. Therefore, to ensure that your organization builds a culture of compliance, your organization should implement thorough, ongoing training to optimize privacy and security.

3.2.1 New employees

New employees should be trained on the organization’s PBD program, just as they would be trained on any other aspect of organization operations. This training should emphasize that PBD is a holistic program, not confined to a few IT or security staff members.

3.2.2 Existing employees

PBD should become an integral part of the organization’s culture. This means that regular reiteration of the processes and importance of PBD will be necessary. Regular retraining also allows the organization to address new elements of the process, or newly identified threats.