In recent years the amount of personal data held and processed by organizations in various industries has grown exponentially as services have become increasingly digitalized, also creating new business opportunities. With these new possibilities new responsibilities have realized to ensure that personal data is treated responsibly. The EU General Data Protection Regulation (GDPR) affecting all organizations handling personal data has recently received wide publicity not least due to its high administrative fines. We feel that organizations that are able to handle privacy graciously will not only avoid these fines, but also gain the trust of individuals resulting in increased business.

Our privacy practice is built on the competences of several privacy professionals. It consists of data protection lawyers, privacy engineers, software architects, privacy program managers and cybersecurity specialists. We are proud of our cross professional approach permitting us to work with the most demanding technologies and environments.

Privacy Impact Assessments and Privacy Threat Modeling

Privacy Impact Assessments (PIA) and privacy threat modeling are essential tools for privacy professionals. We use them to assess risk, review practices and develop competences of organizations, services, products and practices. We can help utilize these in eg. the following ways:

  • Identify when and where Privacy Impact Assessments are recommendable or mandatory
  • Curate, tailor and create different PIA models and tools ranging from corporate action planning to software and service development
  • Use impact assessments and threat modeling to construct prioritized development roadmaps as well as revise the quality and compliance of services and products
  • Tailor PIA programs and build in-house PIA capabilities

Design of privacy programs and data protection accountability

With the GDPR companies are required to maintain documentation that show the adoption of compliant data protection practices. In creating corporate accountability for data protection, we implement the following best practices:

  • Privacy programs and governance models are built to serve the existing organizational model with the necessary agility and adaptability based on business needs
  • Accountability is built on three aspects: accountability of policies, processes and practices
  • Identification of KPIs to measure the effectiveness of the program
  • Building in-house capabilities for our clients to maintain quality and up-to-date approach

Policy and Processes

Policies and processes support each other in managing corporate privacy. We see privacy as a built-in approach that creates consistency and flows throughout the organization creating trust and transparency. Policies relating to personal data provide a guideline for all use of privacy information; they should be concise, accurate and serve the organization as a tool for data management. When developing privacy processes and governance, we rely on several principles:

  • Ensuring that the optimum workflow is implemented after having identified key processes and the supporting technologies
  • Processes and policies are easy to manage and adopt without unnecessary administrative burden
  • Building KPIs and quality gates for measuring effectiveness

Software Development Practices

For organizations that develop or procure software, Privacy by Design should be a part of the development model, vendor requirements and day-to-day operations.

  • Privacy by Design is a cross-professional practice where development and legal professionals come together to create the framework for technical requirements
  • Implementing Privacy by Design affects more than just the developers as legal support, surrounding processes, procurement etc. are all involved in the software life-cycle
  • Privacy by Design means building in-house knowledge and in-house ownership about privacy requirements; these may vary on a global scale
  • Adopting Privacy by Design is critical especially in big data, IoT, AI and other technologically advanced solutions

Selecting Secure Technologies

Cybersecurity controls as well as development and monitoring solutions should cover data protection related issues to prevent and react to privacy threats, especially in key systems.

  • Implementation of due authorization and authentication technologies to guarantee lawful access to data
  • Monitoring of breaches in privacy sensitive systems to enable an efficient response and communication
  • Adoption of privacy enhancing technologies tailored to help with different problems, use cases, services or products

Legal, Regulatory and Contract

To complement our technology driven approach we offer an advisory team that assists in choosing and adopting contractual measures to solidify privacy management and help navigate in different jurisdictions’ privacy frameworks. Our contractual & regulatory services focus on the following key areas:

  • Privacy in agreements: data processing agreements and template annexes to facilitate day-to-day contract management
  • Privacy in Public and Private ICT procurement, starting from the drafting of privacy requirements in RFPs to evaluating tenders and compliance of service providers
  • Frameworks permitting international data transfers and the respective implementations

In case you have any privacy concerns or would like to understand better how the General Data Protection Regulation affects you, please do not hesitate to contact us to discuss these in more detail.

End-User Experience

When developing services that handle personal data the user experience is of paramount importance both to internal and external users. Poorly designed systems do not create trust in the end user, and in the worst case they will avoid using the services, while in the best case end users are willing to share more of their personal data trusting that it is handled accordingly.        

  • First user experience is the focal point for privacy compliance; therefore, trust should be built-in starting from the first moments of onboarding clients
  • End users trust the service and know why and how their personal data is used, are also glad to provide it; on the other side, brands that provide the most value back to users have more engaged customers
  • Systems and customer facing interfaces can be tailored provide end users with the necessary functionalities for compliance, such as data erasure and portability
  • For the service provider this provides more effective customer acquisition, better loyalty through various channels to support business decisions and an improved end user experience.