VoIP Resources Small Business Tips Business Technology

How to Implement Privacy by Design for Business

by Margaret Joy

Privacy by design, also known as PbD or Privacy by default, is a design methodology that marries data privacy and UX. Find out why it's vital for business.

When we build something, we take each step in a certain order. Without a strong base, any attempts to build will eventually fall apart. It’s why buildings have architects and blueprints, or else any old wolf could take it down with a hefty puff or three.

The same goes for technology, particularly in the cloud. Cloud architecture is so important that Deloitte has an entire podcast on the subject. And the most vital part of cloud architecture, that solid base that allows for growth and expansion? Privacy. Enter: Privacy by design, a framework for systems engineering that ensures privacy is proactively centered throughout the entire design process.  

Privacy by design, also known as PbD or privacy by default, came about in the mid-1990s. Ann Cavoukian developed the idea and formalized it with an international joint team. By 2010 the framework was accepted by the International Conference of Data Protection and Privacy Commissioners, now known as the Global Privacy Assembly. A defining characteristic of Cavoukian’s approach is that PbD isn’t just about the literal IT infrastructure; it’s also about business practices and habits. Quite importantly, Cavoukian emphasized that PbD can’t be performative. It requires effort and intersectionality in every aspect. 

Privacy Is Key to Scalability

IT security is no longer a simple antivirus installation, and businesses can’t treat it as an afterthought—especially when it comes to cloud software. You can’t put a padlock on the cloud, so security has to be designed into the infrastructure. 

There’s a lot to take into account with cloud scalability. No matter the specific service in question, there’s no shortage of providers out there. So even after you’ve figured out what you need, you have to sift through your potential avenues. Things like privacy by design and shared responsibility security models should be as high a priority as pricing and features. Why? Because risk is inherent in any cloud model, but properly scalable offerings prioritize security. Ramin Sayar, CEO of Sumo Logic, says on Deloitte’s podcast:

“In terms of what else is COVID forcing, I think it's accelerating in some cases a lot of our customers' requirements to...make sure that their digital services are not just up and running but also secure. So it's really forcing them to holistically double down on not only security but also operational performance and reliability of these services a lot of their prospects and customers rely on.”—Ramin Sayar, Sumo Logic

The Intersection of UX/UI and Data Privacy

Much like cybersecurity and data privacy in business, the buck doesn’t stop at technology. You could even argue that the most secure technology available still doesn’t do much if you don’t practice what you preach in daily life from business vision to access settings to inter-team communications. It takes the design thinking process to heart: strategy and empathy before mockups. What does the user need? They need privacy, now more than ever thanks to the continued expansion of data privacy laws. The best way to provide data privacy is to work it into the underlying infrastructure of any software. If you start there, it becomes the centerpiece of the design, already factored into every additional function of the tech in question. The GDPR  dedicated an entire article to the concept, and summed up the idea quite nicely:

“The term ‘Privacy by Design’ means nothing more than ‘data protection through technology design.’”

Privacy by design is founded on seven principles. It’s clear from them that this methodology is where UX design and data protection meet.

The 7 Privacy by Design Principles

Consider this your guide on how to implement privacy by design. 

1) Proactive not Reactive; Preventative not Remedial

Recognize the importance of preemptive privacy measures, and start design work there. Don’t wait for issues like data breaches to happen—be active, not passive. Committing to privacy in design from the beginning and at all levels means you acknowledge risks before they materialize. Put control in your hands, not a hacker’s. 

This is incredibly important when you remember the state of the cybersecurity industry. The overwhelming majority of cybersecurity professionals prioritize containment, not prevention. Adopting PbD will lessen your recovery time after a breach, not to mention the vast price tag that comes with that process. 

Screenshot of Varonis data breach statistics.
From the 2020 Varonis Data Breach report.

2) Privacy as the Default Setting

If you’re going to default to one theme, let it be privacy. Building privacy into your system and business makes it automatic. Reduce risk by limiting external effort as much as possible. For one thing, you can’t rely on anyone to properly secure their data. For another, it helps you stay compliant with data privacy laws like the GDPR: Be specific about the data you collect, make sure you collect the minimum necessary data, collect with consent, and destroy it when you’re done. 

3) Privacy Embedded Into Design

If privacy is embedded from the start, you won’t have to sacrifice security for functionality down the road. It’s your foundation, not something tacked on at the end. With design thinking in mind, assess your privacy approach at each step to make room for any creative changes with existing standards as a metric. 

4) Full Functionality—Positive-Sum, not Zero-Sum

Everybody wants a win-win situation. This is where you need to follow through on your declaration of commitment to privacy. Anyone can talk a big game, but too often in design, we end up sacrificing some aspect to make space for another. PbD rejects this zero-sum mindset, recognizing it’s outdated. Challenge yourself to innovate and accommodate objectives and your desired outcome around the central privacy component. 

5) End-to-End Security—Full Lifecycle Protection

This is where security comes into play. Privacy can’t exist without strong security. If you embedded privacy before any data is collected, congratulations on reading principle number 3. Now you have to protect that data. This means secure practices from pre-collection to destruction. 

OnSIP takes this principle particularly seriously. As a VoIP provider, we’re big on end-to-end encryption, which the big name in video call providers may or may not be. 

Screenshot of a full mesh network.
A full mesh network provides end-to-end security that a star topology does not.

6) Visibility and Transparency—Keep It Open

Accountability, openness, and compliance are the trifecta here. You must hold yourself accountable for the data you collect and be open with the data subjects about when and what you collect. Take the required steps to ensure your practices comply with necessary policies. If you’re compliant, there’s no reason to hide. Be open with partners and users to build trust.

7) Respect for User Privacy—Keep It User-Centric

Cavoukian neatly sums up design thinking in her final principle: “The best Privacy by Design results are usually those that are consciously designed around the interests and needs of individual users.” UX matters, folks! 

Yes, privacy should be the default, which as a result, should minimize the active participation of users as much as possible. The key word here is minimize, not eliminate. No one is more invested in data privacy than the data subject, which is why standards call for consent and transparency. Access is part of that as well: Any user should be able to access their personal information collected by third parties for accuracy and updates. 

Frustrated woman making a call on her cell phone.
No customer should look like this when trying to check data privacy. Well-designed UX/UI helps eliminate frustration.

Respect for user privacy doesn’t just mean auditing your process for inaccurate data or providing appropriate notice. It means actively engaging in human-centric design so that your UI, with end-to-end privacy embedded from the get-go, puts the user in the best setting to make informed privacy decisions. 

Implementing PbD

Cavoukian and her colleagues did an excellent job laying out privacy by design. Most engineering approaches are intimidating at first sight. They’re usually pages upon pages of jargon-filled explanations that can put off anyone new to the subject. PbD is quite different. The initial 2010 document outlining the principles is clear, concise, and unfettered by extensive philosophizing that certainly is part of the discussion but too often makes its way into explanatory materials. In a world where design methodologies and data privacy laws often make us feel like we need another degree to begin to understand their intricacies, PbD is a refreshingly direct approach that any business can easily incorporate—and they should. 

Learn more about Small Business Tips