Privacy by design, more than a strategy

Consumer data privacy is seemingly at the forefront of every conversation about technology in the current climate. When major hacks such as last year’s Experian data breach happen, renewed calls for more stringent data protection protocols inevitably occur. Additionally, the recent predicament involving Facebook sharing customer data has also brought the issue of privacy to the forefront.

Regulators have begun taking notice as well. The recently implemented General Data Protection Rule (GDPR) in the European Union, for example, gives consumers more control over their data and how it is used. Within the financial world, banks that market and sell in the area, or have European offices, will need to begin implementing steps to meet regulations, such as translating their website into relevant languages.

All of this means that firms should be baking “privacy by design” into all their products and services if they aren’t already. Simply put, privacy by design is a strategy wherein privacy and data protection compliance are taken into account right from the start of designing a product or when beginning a new project.

According to the U.K. Information Commissioner’s Office (ICO), taking a privacy by design approach is an essential tool in minimizing privacy risks and building trust. Doing so can reap benefits including:

  1. Addressing potential problems early will be simpler and less costly to tackle
  2. Increased awareness of privacy and data protection across an organization
  3. Actions are less likely to be intrusive and have a negative impact on individuals

To implement an effective privacy by design strategy, firms should follow privacy best practices. Firstly, consider the privacy impact when starting any new project. The ICO offers various privacy impact assessments that are designed to reduce the risks of harm to individuals through the misuse of their personal information and can be integrated into existing project management policy. It is also advised to lead with privacy as the default setting.

It is important for your company to rid itself of the mindset that privacy is an “either-or” when compared to other design considerations. Privacy should not have to compete with user experience design or technical specifications; it should not be something that is considered to impair functionality, but rather work in tandem with it.

In addition, it is critical to ensure end-to-end security. According to Deloitte, data lifecycle security means all data should be securely retained as needed and destroyed when no longer required. Finally, as drawn up in one of the first privacy by design frameworks in Canada in the 1990s, “privacy standards must be visible, transparent, open, documented and independently verifiable. Your processes, in other words, must stand up to external scrutiny”.

Privacy by design should not be considered optional anymore. Failing to implement a privacy by design culture in all of your firm’s design processes could mean not only running afoul of regulators but falling behind the competition. Indeed, many companies are already making strides in this area.


There are also some common misconceptions to avoid when tackling this issue. The first, primarily among IT professionals and various security officers, is to equate security with privacy. While securing customer data is undoubtedly important, privacy by design is not simply about preventing hacks and cyber attacks. It is more about letting your customers control their own data, and allowing that data to be erased if they so choose.

Another misconception is that privacy only has to do with sensitive or personally identifiable information (PII) data. According to Risk Management Magazine, privacy goes beyond what would be traditionally considered sensitive data, to also cover information including location data and any factors pertaining to the physical, physiological, genetic, mental, economic, cultural or social identity of a person. GDPR, for example, also protects data which reveals a person’s racial or ethnic origin, political opinions, philosophical beliefs or trade union membership, as well as all health-related information.

It is worth reiterating that the principles of privacy by design are not constrained by geography. As noted above, while GDPR is an EU statute, it also affects businesses that conduct business there or have EU customers. With other countries contemplating similar statutes, it will only become increasingly important.


Consumers are more concerned about their data privacy rights than ever before. According to a survey last year of adults in the U.S. and U.K., 68 percent don’t trust brands to handle their personal information appropriately. That number surely will have risen considering more recent developments, such as the Facebook data scandal. This is why privacy by design is so important: it is not just something done to satisfy regulators, but a differentiator that will make consumers more trusting of and loyal to your brand.

Subscribe to our blog

Stay up to date on the latest CX news, resources, and service tips.