APPS- 15 – Privacy by Design and Default Policy

What is this control about?

Privacy by Design and Default is an approach that promotes the integration of privacy considerations into the design and development of systems, products, and processes from the very beginning.

Available tools in the marketplace

Tools:

TrustArc Proteus-Cyber VeraCode

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• Leverage this template Privacy Impact Assessment Report

Control implementation

Here are some guidelines to implement an effective records of Privacy by Design and Default Policy program:

• Establish a Privacy by Design and Default Policy: Develop a policy that outlines the organization’s commitment to privacy by design and default. This policy should define the objectives, scope, and guiding principles for incorporating privacy considerations into the design and default settings of systems, products, and processes.
• Create a Privacy Governance Framework: Establish a privacy governance framework that outlines the roles, responsibilities, and processes for implementing and maintaining privacy by design and default practices. This framework should clearly define the accountability and decision-making structure within the organization to ensure the integration of privacy throughout the development lifecycle.
• Conduct Privacy Impact Assessments (PIAs): Perform Privacy Impact Assessments (PIAs) for new systems, products, or significant changes to existing ones. PIAs help identify and evaluate privacy risks, assess the impact on individuals’ privacy, and determine appropriate mitigation measures. The findings from PIAs inform the design and default settings of the systems or products.
• Apply Privacy by Design Principles: Incorporate privacy by design principles into the design and development process. This includes integrating privacy considerations from the initial stages of system or product design, including privacy features, data minimization, purpose limitation, data retention policies, access controls, and encryption techniques. Ensure that privacy controls are built-in rather than added as an afterthought.
• Implement Privacy-Enhancing Technologies: Leverage privacy-enhancing technologies (PETs) to support privacy by design and default. PETs include techniques such as pseudonymization, anonymization, data de-identification, secure multiparty computation, and differential privacy. Evaluate the use of these technologies to enhance privacy protections and minimize the collection and processing of personal data.
• Establish Default Privacy Settings: Set privacy-protective defaults for systems, products, and services. Default settings should prioritize privacy by enabling privacy-enhancing features, limiting data sharing by default, and obtaining explicit consent for data processing activities. Users should have granular control over their personal data and the ability to customize privacy settings as per their preferences.
• Conduct Privacy Training and Awareness: Provide training and awareness programs for employees involved in the design, development, and management of systems or products. Educate employees on privacy principles, best practices, and the organization’s privacy by design and default policy. Ensure they understand their roles and responsibilities in incorporating privacy into their respective areas of work.
• Implement Privacy Review Processes: Establish processes for conducting privacy reviews throughout the development lifecycle. Regularly review and assess systems, products, and processes to identify privacy risks, evaluate compliance with privacy by design and default requirements, and identify areas for improvement. This includes periodic audits or assessments to ensure ongoing adherence to privacy principles.
• Document Privacy by Design and Default Measures: Maintain documentation that demonstrates the organization’s implementation of privacy by design and default practices. This includes records of PIAs, design specifications, privacy control implementation details, data flow diagrams, system architecture documentation, and any other relevant artifacts. These documents provide evidence of the organization’s commitment to privacy and compliance efforts.
• Conduct Privacy Impact Assessments for System or Product Changes: Whenever there are significant changes to systems, products, or processes, conduct privacy impact assessments to evaluate the impact on privacy and ensure that privacy by design and default principles are maintained

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

• Privacy Governance Framework: Documentation of a privacy governance framework that outlines the roles, responsibilities, and processes for implementing and maintaining privacy by design and default practices. This framework should define the accountability and decision-making structure, including the involvement of relevant stakeholders such as privacy officers, legal teams, IT personnel, and business representatives.
• Privacy Impact Assessment Reports: Documentation of completed Privacy Impact Assessments (PIAs) conducted for new systems, products, or significant changes to existing ones. These reports should outline the assessment process, identify privacy risks, assess the impact on individuals’ privacy, and propose mitigation measures. They should also include evidence of stakeholder involvement and decision-making regarding the design and default settings.

Evidence example

For the suggested action, an example is provided below:

• Privacy Governance Framework

• Privacy Impact Assessment Reports

Leverage this template Privacy Impact Assessment Report