{"id":10518,"date":"2024-02-20T13:34:25","date_gmt":"2024-02-20T19:34:25","guid":{"rendered":"https:\/\/board.org\/?p=10276"},"modified":"2026-01-30T00:47:43","modified_gmt":"2026-01-30T06:47:43","slug":"from-philosophy-to-framework-privacy-leaders-share-practical-approaches-to-implementing-privacy-by-design","status":"publish","type":"post","link":"https:\/\/board.org\/dataprivacy\/resources\/from-philosophy-to-framework-privacy-leaders-share-practical-approaches-to-implementing-privacy-by-design\/","title":{"rendered":"From Philosophy to Framework: Privacy Leaders Share Practical Approaches to Implementing Privacy by Design"},"content":{"rendered":"[vc_row type=&#8221;in_container&#8221; full_screen_row_position=&#8221;middle&#8221; column_margin=&#8221;default&#8221; column_direction=&#8221;default&#8221; column_direction_tablet=&#8221;default&#8221; column_direction_phone=&#8221;default&#8221; scene_position=&#8221;center&#8221; text_color=&#8221;dark&#8221; text_align=&#8221;left&#8221; row_border_radius=&#8221;none&#8221; row_border_radius_applies=&#8221;bg&#8221; overflow=&#8221;visible&#8221; overlay_strength=&#8221;0.3&#8243; gradient_direction=&#8221;left_to_right&#8221; shape_divider_position=&#8221;bottom&#8221; bg_image_animation=&#8221;none&#8221;][vc_column column_padding=&#8221;no-extra-padding&#8221; column_padding_tablet=&#8221;inherit&#8221; column_padding_phone=&#8221;inherit&#8221; column_padding_position=&#8221;all&#8221; column_element_direction_desktop=&#8221;default&#8221; column_element_spacing=&#8221;default&#8221; desktop_text_alignment=&#8221;default&#8221; tablet_text_alignment=&#8221;default&#8221; phone_text_alignment=&#8221;default&#8221; background_color_opacity=&#8221;1&#8243; background_hover_color_opacity=&#8221;1&#8243; column_backdrop_filter=&#8221;none&#8221; column_shadow=&#8221;none&#8221; column_border_radius=&#8221;none&#8221; column_link_target=&#8221;_self&#8221; column_position=&#8221;default&#8221; gradient_direction=&#8221;left_to_right&#8221; overlay_strength=&#8221;0.3&#8243; width=&#8221;1\/1&#8243; tablet_width_inherit=&#8221;default&#8221; animation_type=&#8221;default&#8221; bg_image_animation=&#8221;none&#8221; border_type=&#8221;simple&#8221; column_border_width=&#8221;none&#8221; column_border_style=&#8221;solid&#8221;][vc_column_text text_direction=&#8221;default&#8221;]\n<p><strong>Key takeaways:<\/strong><\/p>\n<ul>\n<li>You can\u2019t incorporate Privacy by Design into an organization without top-down support from your executives.<\/li>\n<li>Defining PBD in exact terms varies among privacy leaders. For some, it\u2019s a philosophy for how to incorporate privacy into an organization, while others are taking a very structured, framework-based approach.<\/li>\n<li>Your approach to PBD will have implications on where and how it is implemented. For companies where the concept means a greater focus on building in privacy principles as new programs come on board, they implement these principles by carrying out reviews and assessments. However, addressing privacy concerns for existing systems poses a different set of challenges.<\/li>\n<\/ul>\n[\/vc_column_text][divider line_type=&#8221;Full Width Line&#8221; line_thickness=&#8221;1&#8243; divider_color=&#8221;default&#8221;][\/vc_column][\/vc_row][vc_row type=&#8221;in_container&#8221; full_screen_row_position=&#8221;middle&#8221; column_margin=&#8221;default&#8221; column_direction=&#8221;default&#8221; column_direction_tablet=&#8221;default&#8221; column_direction_phone=&#8221;default&#8221; scene_position=&#8221;center&#8221; text_color=&#8221;dark&#8221; text_align=&#8221;left&#8221; row_border_radius=&#8221;none&#8221; row_border_radius_applies=&#8221;bg&#8221; overflow=&#8221;visible&#8221; overlay_strength=&#8221;0.3&#8243; gradient_direction=&#8221;left_to_right&#8221; shape_divider_position=&#8221;bottom&#8221; bg_image_animation=&#8221;none&#8221;][vc_column column_padding=&#8221;no-extra-padding&#8221; column_padding_tablet=&#8221;inherit&#8221; column_padding_phone=&#8221;inherit&#8221; column_padding_position=&#8221;all&#8221; column_element_direction_desktop=&#8221;default&#8221; column_element_spacing=&#8221;default&#8221; desktop_text_alignment=&#8221;default&#8221; tablet_text_alignment=&#8221;default&#8221; phone_text_alignment=&#8221;default&#8221; background_color_opacity=&#8221;1&#8243; background_hover_color_opacity=&#8221;1&#8243; column_backdrop_filter=&#8221;none&#8221; column_shadow=&#8221;none&#8221; column_border_radius=&#8221;none&#8221; column_link_target=&#8221;_self&#8221; column_position=&#8221;default&#8221; gradient_direction=&#8221;left_to_right&#8221; overlay_strength=&#8221;0.3&#8243; width=&#8221;1\/1&#8243; tablet_width_inherit=&#8221;default&#8221; animation_type=&#8221;default&#8221; bg_image_animation=&#8221;none&#8221; border_type=&#8221;simple&#8221; column_border_width=&#8221;none&#8221; column_border_style=&#8221;solid&#8221;][vc_column_text text_direction=&#8221;default&#8221;]\n<p>As a data privacy leader, you understand that being proactive in managing privacy risks yields far greater results than reacting to emerging issues and retrofitting new systems.<\/p>\n<p>This is precisely why Privacy by Design (PBD) principles advocate for integrating good privacy practices right from the start when designing or implementing products, infrastructure, or business processes.<\/p>\n<p>Yet, integrating these principles into the day-to-day of your systems and operations can be a massive undertaking.<\/p>\n<p>Recently, the Data Privacy Board hosted a panel on <a href=\"https:\/\/go.board.org\/panel-on-privacy-by-design?_gl=1*mv5mk5*_ga*NjYyNDcyODE1LjE2OTUzOTgwMTU.*_ga_LKGTYTDQ9M*MTcwOTc1OTU0OC4yMTguMS4xNzA5NzY1MzQ3LjUxLjAuMA..\" target=\"_blank\" rel=\"noopener\">Operationalizing PBD at a Large Enterprise<\/a> where senior privacy leads at Bose, Northwestern Mutual, and Merck convened to share actionable advice on building PBD principles into your organization.<\/p>\n<p>Panelists addressed the importance of securing top-level buy-in, defining what PBD means in terms of your organizational culture, and shed light on the pivotal role of proactive privacy strategies in fostering trust and compliance.<\/p>\n<h2>You Can\u2019t Drive a Privacy-First Strategy Without Executive Support<\/h2>\n[\/vc_column_text][\/vc_column][\/vc_row][vc_row type=&#8221;in_container&#8221; full_screen_row_position=&#8221;middle&#8221; column_margin=&#8221;default&#8221; column_direction=&#8221;default&#8221; column_direction_tablet=&#8221;default&#8221; column_direction_phone=&#8221;default&#8221; scene_position=&#8221;center&#8221; text_color=&#8221;dark&#8221; text_align=&#8221;left&#8221; row_border_radius=&#8221;none&#8221; row_border_radius_applies=&#8221;bg&#8221; overflow=&#8221;visible&#8221; overlay_strength=&#8221;0.3&#8243; gradient_direction=&#8221;left_to_right&#8221; shape_divider_position=&#8221;bottom&#8221; bg_image_animation=&#8221;none&#8221;][vc_column column_padding=&#8221;no-extra-padding&#8221; column_padding_tablet=&#8221;inherit&#8221; column_padding_phone=&#8221;inherit&#8221; column_padding_position=&#8221;all&#8221; column_element_direction_desktop=&#8221;default&#8221; column_element_spacing=&#8221;default&#8221; desktop_text_alignment=&#8221;default&#8221; tablet_text_alignment=&#8221;default&#8221; phone_text_alignment=&#8221;default&#8221; background_color_opacity=&#8221;1&#8243; background_hover_color_opacity=&#8221;1&#8243; column_backdrop_filter=&#8221;none&#8221; column_shadow=&#8221;none&#8221; column_border_radius=&#8221;none&#8221; column_link_target=&#8221;_self&#8221; column_position=&#8221;default&#8221; gradient_direction=&#8221;left_to_right&#8221; overlay_strength=&#8221;0.3&#8243; width=&#8221;1\/1&#8243; tablet_width_inherit=&#8221;default&#8221; animation_type=&#8221;default&#8221; bg_image_animation=&#8221;none&#8221; border_type=&#8221;simple&#8221; column_border_width=&#8221;none&#8221; column_border_style=&#8221;solid&#8221;][image_with_animation image_url=&#8221;10945&#8243; image_size=&#8221;full&#8221; animation_type=&#8221;entrance&#8221; animation=&#8221;None&#8221; animation_movement_type=&#8221;transform_y&#8221; hover_animation=&#8221;none&#8221; alignment=&#8221;center&#8221; border_radius=&#8221;none&#8221; box_shadow=&#8221;none&#8221; image_loading=&#8221;default&#8221; max_width=&#8221;100%&#8221; max_width_mobile=&#8221;default&#8221;][\/vc_column][\/vc_row][vc_row type=&#8221;in_container&#8221; full_screen_row_position=&#8221;middle&#8221; column_margin=&#8221;default&#8221; column_direction=&#8221;default&#8221; column_direction_tablet=&#8221;default&#8221; column_direction_phone=&#8221;default&#8221; scene_position=&#8221;center&#8221; text_color=&#8221;dark&#8221; text_align=&#8221;left&#8221; row_border_radius=&#8221;none&#8221; row_border_radius_applies=&#8221;bg&#8221; overflow=&#8221;visible&#8221; overlay_strength=&#8221;0.3&#8243; gradient_direction=&#8221;left_to_right&#8221; shape_divider_position=&#8221;bottom&#8221; bg_image_animation=&#8221;none&#8221;][vc_column column_padding=&#8221;no-extra-padding&#8221; column_padding_tablet=&#8221;inherit&#8221; column_padding_phone=&#8221;inherit&#8221; column_padding_position=&#8221;all&#8221; column_element_direction_desktop=&#8221;default&#8221; column_element_spacing=&#8221;default&#8221; desktop_text_alignment=&#8221;default&#8221; tablet_text_alignment=&#8221;default&#8221; phone_text_alignment=&#8221;default&#8221; background_color_opacity=&#8221;1&#8243; background_hover_color_opacity=&#8221;1&#8243; column_backdrop_filter=&#8221;none&#8221; column_shadow=&#8221;none&#8221; column_border_radius=&#8221;none&#8221; column_link_target=&#8221;_self&#8221; column_position=&#8221;default&#8221; gradient_direction=&#8221;left_to_right&#8221; overlay_strength=&#8221;0.3&#8243; width=&#8221;1\/1&#8243; tablet_width_inherit=&#8221;default&#8221; animation_type=&#8221;default&#8221; bg_image_animation=&#8221;none&#8221; border_type=&#8221;simple&#8221; column_border_width=&#8221;none&#8221; column_border_style=&#8221;solid&#8221;][vc_column_text text_direction=&#8221;default&#8221;]\n<p style=\"text-align: center;\"><em>From Left: Evan Fleischer, Tom Holtan, Andy Keller, and Daniel Fisher.<\/em><\/p>\n<p>To successfully incorporate PBD principles into your enterprise\u2019s operations, <a href=\"https:\/\/board.org\/dataprivacy\/resources\/how-to-secure-c-suite-support-for-your-data-privacy-program\/\" target=\"_blank\" rel=\"noopener\">C-suite support<\/a> is paramount.<\/p>\n<p>As Merck Director of Digital and Data <a href=\"https:\/\/www.linkedin.com\/in\/dfisher10\/\" target=\"_blank\" rel=\"noopener\">Daniel Fisher<\/a> said during the panel, \u201cTop-down management impacts everything we do.\u201d<\/p>\n<p>Leadership endorsement signals the importance of privacy throughout the organization and enables you to foster a culture where privacy is ingrained in every aspect of the organization\u2019s operations and decision-making processes.<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/evan-fleischer-esq-4b5b2027\/\" target=\"_blank\" rel=\"noopener\">Evan Fleischer<\/a>, Legal Counsel at Bose, echoed this sentiment and said the desire to do right by their customers drives and helps inform their strategy and privacy impact assessment (PIA) process.<\/p>\n<p>Evan further highlighted the value of employee engagement and support for privacy. At Bose, he said they often proactively reach out with potential privacy concerns or ideas.<\/p>\n<p>\u201cThat really helps drive not just the things we\u2019re aware of and initiatives we\u2019re aware of, but identifying other areas that might need a better privacy eye,\u201d he said.<\/p>\n<h2>Defining Privacy by Design at Your Organization \u2014 Philosophy or Framework?<\/h2>\n<p>Adapting culture and enterprise processes takes time, so it\u2019s important to consider that operationalizing PBD and its seven foundational principles is a continual process.<\/p>\n<p>In fact, Data Privacy Board members came together in our confidential community at the end of last year to benchmark where they are on their PBD journeys.<\/p>\n<p><strong>In a poll of attendees, 61% of members classified their maturity as \u201cin process,\u201d and just one member felt their company was mature or close to mature in this area.<\/strong><\/p>\n<p>Members also acknowledged at the outset and throughout the conversation that defining \u201cPBD\u201d in exact terms isn\u2019t something they feel very solid about.<\/p>\n<p>For some, it\u2019s more of a conceptual outlook for how to incorporate privacy in the practices of an organization, while others are taking a very structured, framework-based approach.<\/p>\n<p>This philosophy versus framework question was also mentioned during the public panel discussion, where a hybrid definition surfaced.<\/p>\n<p>Northwestern Mutual Senior Director of Privacy <a href=\"https:\/\/www.linkedin.com\/in\/thomasholtan\" target=\"_blank\" rel=\"noopener\">Tom Holtan<\/a> said they view it as both philosophy and framework.<\/p>\n<p>At the conceptual level, he said it\u2019s essential this philosophy and a privacy-first culture is adopted enterprise-wide from senior leadership down to frontline employees.<\/p>\n<p>When it comes to actually implementing these principles into your operations, panelists shed light on the importance of your risk and assessment process.<\/p>\n<p>\u201cThe only way to embed PBD is to have your flags, checkpoints, processes, and audit capabilities to make sure that you\u2019re actually embedding those principles into day-to-day operations, \u201d Daniel said.<\/p>\n<h2>How to Define Your Approach to Privacy by Design<\/h2>\n<blockquote><p>\u201cThe only way to embed PBD is to have your flags, checkpoints, processes, and audit capabilities to make sure that you\u2019re actually embedding those principles into day-to-day operations.\u201d<\/p>\n<p><em>Daniel Fisher, Director of Digital and Data at Merck<\/em><\/p><\/blockquote>\n<p>During the Data Privacy Board member\u2019s private discussion, there was a conversation about how you structure your approach and the implications for where you can implement PBD.<\/p>\n<p>For companies where the concept means a greater focus on building in privacy principles as new programs come on board, they implement these principles by carrying out reviews and assessments throughout the project\u2019s life cycle rather than retrofitting.<\/p>\n<p>However, addressing privacy concerns for existing systems poses a different set of challenges. Members shared various strategies, including tiering vendors based on risk and conducting reviews in 1-3 year cycles, leveraging data governance processes to identify unknown legacy systems and actively involving themselves in the sourcing and procurement process.<\/p>\n<p>At Northwestern Mutual, Tom said the privacy team is very intentional about their risk and assessment process, which he called <strong>\u201cone of the most effective levers in ensuring we have a seat at the table.\u201d<\/strong><\/p>\n<p>By deploying consultants for the review and assessment process across the organization, they ensure that technological deployments and process changes are accounted for and reviewed through a PBD lens, enabling them to proactively embed privacy principles.<\/p>\n<p>This approach allows the team to stay attuned to what\u2019s changing throughout the enterprise and ensure privacy principles are baked in from the outset.<\/p>\n<p>While PBD provides a great framework, Tom said there\u2019s still a lot of gray area. He said there\u2019s not a singular checklist, and that\u2019s what makes this journey challenging.<\/p>\n<p>\u201cSo much of what we do is around the context of a specific request, and every request is a little different,\u201d Tom said. \u201cThere are general principles, but what we found is by aligning with our second line partners across the company, we\u2019re able to get that context and give that right level to keep that consumer perspective in mind and keep data protected.\u201d<\/p>\n<p>In essence, while PBD offers a solid foundation, its successful implementation requires a nuanced approach that considers the unique challenges and contexts within each organization. Collaboration and proactive engagement across various stakeholders are essential to navigate the complexities of privacy management effectively.<\/p>\n<blockquote><p>\u201cWhat we found is by aligning with our second line partners across the company, we\u2019re able to get that context and give that right level to keep that consumer perspective in mind and keep data protected.\u201d<\/p>\n<p><em>Tom Holtan, Senior Director of Privacy at Northwestern Mutual<\/em><\/p><\/blockquote>\n<h2>Benchmark With Your Peers at Other Large Companies<\/h2>\n<p>It\u2019s clear there\u2019s no one-size-fits-all approach to operationalizing PBD, and the advice shared by panelists is just scratching the surface of this topic.<\/p>\n<p>Data Privacy Board members are able to gut-check their strategies in a completely confidential space.<\/p>\n<p>Interested in learning more about how the community could help support your program\u2019s needs? Get in touch below.<\/p>\n[\/vc_column_text][\/vc_column][\/vc_row][vc_row type=&#8221;full_width_background&#8221; full_screen_row_position=&#8221;middle&#8221; column_margin=&#8221;default&#8221; column_direction=&#8221;default&#8221; column_direction_tablet=&#8221;default&#8221; column_direction_phone=&#8221;default&#8221; bg_image=&#8221;10232&#8243; bg_position=&#8221;left top&#8221; background_image_loading=&#8221;default&#8221; bg_repeat=&#8221;no-repeat&#8221; scene_position=&#8221;center&#8221; top_padding=&#8221;75px&#8221; bottom_padding=&#8221;50px&#8221; text_color=&#8221;dark&#8221; text_align=&#8221;center&#8221; row_border_radius=&#8221;none&#8221; row_border_radius_applies=&#8221;bg&#8221; overflow=&#8221;visible&#8221; overlay_strength=&#8221;0.3&#8243; gradient_direction=&#8221;left_to_right&#8221; shape_divider_position=&#8221;bottom&#8221; bg_image_animation=&#8221;none&#8221; gradient_type=&#8221;default&#8221; shape_type=&#8221;&#8221;][vc_column column_padding=&#8221;no-extra-padding&#8221; column_padding_tablet=&#8221;inherit&#8221; column_padding_phone=&#8221;inherit&#8221; column_padding_position=&#8221;all&#8221; column_element_direction_desktop=&#8221;default&#8221; column_element_spacing=&#8221;default&#8221; desktop_text_alignment=&#8221;default&#8221; tablet_text_alignment=&#8221;default&#8221; phone_text_alignment=&#8221;default&#8221; background_color_opacity=&#8221;1&#8243; background_hover_color_opacity=&#8221;1&#8243; column_backdrop_filter=&#8221;none&#8221; column_shadow=&#8221;none&#8221; column_border_radius=&#8221;none&#8221; column_link_target=&#8221;_self&#8221; column_position=&#8221;default&#8221; gradient_direction=&#8221;left_to_right&#8221; overlay_strength=&#8221;0.3&#8243; width=&#8221;1\/1&#8243; tablet_width_inherit=&#8221;default&#8221; animation_type=&#8221;default&#8221; bg_image_animation=&#8221;none&#8221; border_type=&#8221;simple&#8221; column_border_width=&#8221;none&#8221; column_border_style=&#8221;solid&#8221;][vc_custom_heading text=&#8221;Interested in learning more about membership?&#8221; font_container=&#8221;tag:h2|font_size:35px|text_align:center|color:%23000000|line_height:1.5&#8243; use_theme_fonts=&#8221;yes&#8221;][divider line_type=&#8221;No Line&#8221; custom_height=&#8221;15px&#8221;][vc_custom_heading text=&#8221;As a leader, your mission is important. We\u2019re here to help you win.&#8221; font_container=&#8221;tag:h3|font_size:30px|text_align:center|color:%23000000|line_height:1.5&#8243; use_theme_fonts=&#8221;yes&#8221;][divider line_type=&#8221;No Line&#8221; custom_height=&#8221;15px&#8221;][nectar_btn size=&#8221;medium&#8221; button_style=&#8221;regular&#8221; button_color_2=&#8221;Accent-Color&#8221; color_override=&#8221;#000000&#8243; solid_text_color_override=&#8221;#ffffff&#8221; icon_family=&#8221;fontawesome&#8221; text=&#8221;Apply to Join&#8221; icon_fontawesome=&#8221;fa fa-chevron-right&#8221; url=&#8221;\/join\/&#8221;][\/vc_column][\/vc_row]\n","protected":false},"excerpt":{"rendered":"<p>[vc_row type=&#8221;in_container&#8221; full_screen_row_position=&#8221;middle&#8221; column_margin=&#8221;default&#8221; column_direction=&#8221;default&#8221; column_direction_tablet=&#8221;default&#8221; column_direction_phone=&#8221;default&#8221; scene_position=&#8221;center&#8221; text_color=&#8221;dark&#8221; text_align=&#8221;left&#8221; row_border_radius=&#8221;none&#8221; row_border_radius_applies=&#8221;bg&#8221; overflow=&#8221;visible&#8221; overlay_strength=&#8221;0.3&#8243; gradient_direction=&#8221;left_to_right&#8221; shape_divider_position=&#8221;bottom&#8221; bg_image_animation=&#8221;none&#8221;][vc_column column_padding=&#8221;no-extra-padding&#8221; column_padding_tablet=&#8221;inherit&#8221; column_padding_phone=&#8221;inherit&#8221; column_padding_position=&#8221;all&#8221; column_element_direction_desktop=&#8221;default&#8221; column_element_spacing=&#8221;default&#8221; desktop_text_alignment=&#8221;default&#8221; tablet_text_alignment=&#8221;default&#8221; phone_text_alignment=&#8221;default&#8221; background_color_opacity=&#8221;1&#8243; background_hover_color_opacity=&#8221;1&#8243; column_backdrop_filter=&#8221;none&#8221; column_shadow=&#8221;none&#8221;&#8230;<\/p>\n","protected":false},"author":4,"featured_media":10638,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[204],"tags":[],"class_list":{"0":"post-10518","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-dataprivacy","8":"content-type-blog"},"acf":{"boardmc_hide_post_header":null,"boardmc_hide_site_header":null},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/board.org\/wp-json\/wp\/v2\/posts\/10518","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/board.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/board.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/board.org\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/board.org\/wp-json\/wp\/v2\/comments?post=10518"}],"version-history":[{"count":0,"href":"https:\/\/board.org\/wp-json\/wp\/v2\/posts\/10518\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/board.org\/wp-json\/wp\/v2\/media\/10638"}],"wp:attachment":[{"href":"https:\/\/board.org\/wp-json\/wp\/v2\/media?parent=10518"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/board.org\/wp-json\/wp\/v2\/categories?post=10518"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/board.org\/wp-json\/wp\/v2\/tags?post=10518"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}