Building Customer Trust Through Privacy By Design

A good reputation is everything in business. This statement couldn't be more relevant in today's always-on culture, where the slightest misstep can have a devastating effect on how your brand is perceived. Whether you like it or not, customers pay close attention to what you do and choose to act (or not) based on what they see or hear about your brand. In commercial terms, breaking hard-earned trust can slow customer purchases entirely.

As Benjamin Franklin said: "It takes many good deeds to build a good reputation, and only one bad one to lose it."

While negative publicity due to an unforeseen or uncontrollable event can happen at any time, reputation management is often (wrongly) perceived as a reactive tactic that brands use after the event. In reality, companies of all sizes should take proactive measures to protect their reputation to ensure customers or service users continue to trust them.

One area where consumer trust and brand reputation are becoming increasingly interconnected is privacy management.

Protect your brand reputation with GDPR

How organisations deal with privacy laws such as the UK general data protection regulation (GDPR) can significantly impact reputational risk. For instance, the link between failing to put appropriate levels of protection in place to prevent the loss of personal data and the erosion of consumer trust following a data breach is well documented.

If reputation management is one of the most important risk areas, leveraging your existing privacy management programme can be a positive step towards a comprehensive risk management strategy.

Building and demonstrating robust GDPR compliance requires an ongoing commitment that involves placing data ethics ahead of short-term profits. In doing so, you demonstrate your trustworthiness as a business by respecting consumer privacy, being transparent and living up to promises about your data processing operations.

So, where do you start?

Privacy and how you handle personal data relates to almost every business function. Identifying, managing, and controlling different processing activities says a lot about your company, your culture, and the maturity of your GDPR compliance programme. At the very heart of this sits data protection by design and default.

What is data protection by design and default?

Although the GDPR requires you to incorporate data protection concerns into all processing activities, the origins of data protection by design and default date back to the mid 1990’s.

Privacy by design

Privacy by design (PbD) was initially developed by Ann Cavoukian and discussed in a joint report on privacy-enhancing technologies by the Information and Privacy Commissioner of Ontario (Canada), the Dutch Data Protection Authority, and the Netherlands Organisation for Applied Scientific Research in 1995. The Privacy by Design framework was published in 2009 and then adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010.

It contains seven foundation principles:

• Proactive not reactive; preventative not remedial.
• Privacy as the default setting.
• Privacy embedded into design.
• Full functionality — positive sum, not zero sum.
• End-to-end security — full lifecycle protection.
• Visibility and transparency — keep it open.
• Respect for user privacy — keep it user-centric.

Cavoukian's approach led to a new way of integrating privacy into products, business processes, and policies. The core ethos is that privacy measures should be implemented at the start of a project or policy rather than hastily bolted on at the end. Today, we see data protection by design as a way to develop products, services or solutions where privacy is considered throughout the product's lifecycle.

Data protection by default

The Information Commissioner's Office (ICO) defines data protection by default as:

• Data protection by default requires you to ensure that you only process the data that is necessary to achieve your specific purpose. It links to the fundamental data protection principles of data minimisation and purpose limitation.
• You have to process some personal data to achieve your purpose(s). Data protection by default means you need to specify this data before the processing starts, appropriately inform individuals and only process the data you need for your purpose. It does not require you to adopt a 'default to off' solution. What you need to do depends on the circumstances of your processing and the risks posed to individuals.

To achieve data protection by default, you must ensure:

• A privacy-first approach is applied to any system default setting.
• People are given real choices when it comes to the processing of their personal data.
• Additional data must not be processed unless consent is granted by the data subject.
• Personal data should never be made automatically publicly available unless permission is given by the data subject.
• People should be given sufficient controls and options so they can exercise their data rights.

What does the UK GDPR say about data protection by design and default?

Articles 25(1) and 25(2) of the GDPR outline your obligations concerning data protection by design and by default.

Article 25(1) states what is required for data protection by design:

• Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

Article 25(2) specifies the requirements for data protection by default:

• The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

Article 25(3) also states that if you adhere to an approved certification under Article 42, that you can use this as means of demonstrating your compliance with these requirements.

How to implement data protection by design and default

Below are a series of tips for developing trust through privacy and data protection by design and default:

• Get key stakeholders on board by showcasing the benefits to the business. With so much customer interaction now taking place online, giving people a positive and secure digital experience is an effective tool to drive growth.
• Ensure senior management is behind the push to implement a culture of privacy.
• Develop policies and practical guidelines that require data protection by design and default to be included within all your internal processes and procedures.
• Bear in mind each new project will be different, analyse the risks and implement appropriate controls on a case-by-case basis.
• Consider data protection issues at the beginning of all new projects and throughout the implementation.
• Only process the minimum amount of personal data that is necessary for the purpose.
• Ensure IT systems engineers and software developers are on board to assist in developing privacy-focused solutions.
• Build-in automatic privacy safeguards for products and services so that users are protected from the outset.
• Be transparent about your processing activities and make users aware of how they can check what you are using their data for.

Although the responsibility remains with the controller, you should also ensure supply lines are considered as part of your design and default framework. New research shows a whopping 97% of companies surveyed had been negatively impacted by a cybersecurity breach that occurred in their supply chain.

For more information read the detailed guidance produced by the ICO.

Consumers want control and are willing to act

The latest 2021 Consumer Privacy Survey from Cisco is aptly titled Building Consumer Confidence Through Transparency and Control. It reveals 86% of respondents said that they care about their data privacy and want more control over their data. A further 79% said they are willing to spend time and money to protect data, that privacy is a buying factor, and that they expect to pay more to protect their data. Meanwhile, 47% have acted and switched companies or providers over data policies or data sharing practices.

The above statistics certainly help establish a business case supporting the implementation of data protection by design and default. Furthermore, the strategic advantages of a robust privacy management programme are substantial. They range from reduced sales cycles to increased customer trust and brand loyalty. And, of course, they mitigate against the losses from potential breaches of personal data.

As a training provider, Freevacy recommends the BCS Practitioner Certificate in Data Protection along with the IAPP Certified Information Privacy Professional Europe (CIPP/E) and Certified Information Privacy Manager (CIPM) certified training courses, which when combined will provide the required knowledge to ensure data protection by design and default is implemented successfully.

To find out more about data protection and privacy management training, email contact@freevacy.com or call our team on 0370 04 27701 today.