Technology is ever changing – which means that tech companies need to implement adaptable solutions that address the inherent regulatory and business risks around data, including privacy. That's why Prosus is committed to embedding Privacy by Design – not just as a regulatory requirement, but as a key pillar in the framework of its business.
But what is Privacy by Design? And how does it change the way technology is designed today?
Originally coined by former Ontario Information and Privacy Commissioner, Ann Cavoukian, Privacy by Design was ultimately integrated as a legal requirement within the GDPR. Essentially, it means that data protection should be embedded throughout the lifecycle of the IT service or product – including and, most importantly, at the design phase of a product, tool or platform. This approach ensures that companies can tackle privacy issues from the get-go, and in-turn, instil trust in stakeholders who are using their technologies.
In this Q&A, Monika Tomczak-Gorlikowska, Chief Privacy Officer at Prosus, and Justin B. Weiss, Global Head of Data Privacy at Naspers, will tell us how Prosus approaches the implementation of Privacy by Design in markets around the world where its group companies are present.
Why is Privacy by Design important for the tech sector as a whole?
“Privacy by Design has become a popular catch phrase because there has been a growing recognition over the past decade that tech companies haven’t always done enough to address privacy issues at the outset. As a relatively young industry, the tech sector has historically embraced the value of iteration, making mistakes and learning from them. Because this approach to technology is so prevalent, each iteration comes with privacy challenges that need to be solved. Tackling those challenges early on in the process is so important because we’ve seen that it’s difficult to go back and implement privacy in the product retroactively without altering the business’ approach to data, and therefore impacting its established commercial interests.”
“Privacy by Design is a requirement that is as broad as the sea. In some respects, privacy by design could almost be considered ‘privacy 2.0.’ insofar as privacy practice has moved from something that is very much compliance driven and usually retroactive to something that must be workshopped proactively. Prosus makes it clear to its stakeholders that this is something we are taking seriously by making it a part of our Group’s approach to business goals, building from the principles in our Data Privacy Governance Policy. Privacy by Design is a continuous journey – as technology evolves, PbD will always be pertinent.”
When did Prosus start thinking about Privacy by Design?
“Our privacy programme started years ago, but the concept of Privacy by Design migrated from a philosophical conversation to become a part of our structural implementation, thanks to the GDPR in 2018. The Prosus approach to integrating Privacy by Design into the business is by looking both at how proper education and training on the subject should play a role, while also putting a good deal of the emphasis on executive leadership to drive the subject internally. Essentially, the key to embedding privacy into the culture of the business is to ensure our people not only understand what it is, but also appreciate that their companies recognise it as a shared responsibility.
: “The evolution of this approach involves equipping employees with the right tools to allow them to not only identify issues, but actually solve some of the technological challenges and implement solutions in a creative way. Our aim is to arm technologists with the skills and capabilities to conduct their own analyses and solve some of the problems regarding Privacy by Design, rather than always relying on a team of specialists or legal counsel. A lot of the privacy issues can be better solved by the technologists’ creativity.”
How do you transfer your Privacy by Design principle to subsidiary brands?
“We really stick to a decentralised model where the subsidiaries build their own programmes which adhere to the group policy on data privacy governance. In that policy, we describe some common expectations in terms of executive responsibility, some globally benchmarked driving principles, and the outline of what a privacy programme should address. The group privacy office, internal audit team, and centralized training resources aim to support companies and enhance their capabilities to execute on their privacy programmes, including privacy by design, no matter their size, business, or the geography they are in. Given this diversity, the technical implementations will vary from business to business, depending on the type and location of a company and the nature of the data it collects and uses.
We maintain an active network where data protection officers (DPOs) from all the subsidiaries are connected and regularly talk and exchange information and ideas to help build efficiencies. Although some businesses have bespoke KPI’s and approaches, subsidiaries also have quite a few commonalities and best practices that can be applied to other businesses. The real goal here is to weave in Privacy by Design throughout the network, and this is something that we can work towards by building capabilities in the different businesses across the globe.”
How does Prosus use technology to deliver Privacy Impact Assessments (PIA) that meet their intended goals?
“Back in the day, PIAs were public enemy number one as they were incredibly bureaucratic, time consuming and required immense legal support. An efficient PIA tool can be a game-changer because it doesn’t require a privacy lawyer for every single assessment. Ideally, the PIAs should be embedded in standard project work; and privacy technology and automation can help with that because it should be intuitive, adaptable and can easily link to other project development tasks.
Privacy technology, such as the One Trust suite of products that certain Prosus businesses use, has helped with bringing efficiencies in the Group segment companies by providing them with some readily available, but still flexible, automation for their privacy programmes. The exponential growth of data processing and its ubiquity means that the number of PIAs and indeed the privacy by design work needs to scale, and automated tools can be a big part of our solution set.”
How do you develop Privacy Leaders within the Prosus network?
“We really focus on developing our employees’ capabilities across the group - particularly in growth markets that either do not have privacy legislation or are in the early stages of implementing their privacy laws. Some countries in Asia, Africa and South America, for instance, have only recently begun building their privacy regulatory frameworks. Early on, we realised we needed to cultivate expertise in the privacy domain across all markets, which is why we launched a secondment programme focused on European data privacy foundations - to train employees from these markets, including them obtaining the CIPP/E certification administered by the International Association of Privacy Professionals (“IAPP”). Several examples come to mind: we have had representatives from our Brazilian, South African, Indian and Colombian business work with me in Hong Kong to get CIPP/E certified as European data protection experts before being assigned as data protection leads in their respective businesses. Why Europe, you may ask? Many jurisdictions take Europe as the model for their legislation – so, we figured we could use this programme as a tool to leverage capabilities of the group to benefit the subsidiaries while giving them a head start before their respective laws come fully into force. Helping the companies learn how to fish for themselves, so to say.”
“Now we’re turning our attention to technologists, product engineers and other functions to truly develop a privacy engineering community at a broad scale. The IAPP Certified Information Privacy Technologist (CIPT) credential is going to be the core of the training programme that we are about to launch. We hope that this will allow people in the group to obtain the skills necessary to intervene in the initial phase and implement privacy by design at inception.
Privacy by design cannot be achieved by the privacy office alone - it is critical to spread this knowledge across global companies and locations while expanding from within.”
You have mentioned the course that Prosus is launching. Can you give us a sneak peek?
: We’re very excited about the potential. The course allows our teams, including minority investee companies that are interested, to use our internal training platform to pursue the IAPP’s ISO-certified CIPT credential as a baseline to become a certified privacy technologist. In addition, we have designed some enrichment video content for our learners to augment the course content by learning from people outside of our own organisation.
For these videos, we have formed a virtual study cohort who will record interviews with well recognised privacy professionals in the tech industry and the regulatory community - including experts from Uber, Grindr, and the U.K.’s Information Commissioner’s Office. Our interviews are designed to elicit unique perspectives on questions of privacy by design and technology that will expand our learner’s exposure to diverse viewpoints on the subject. With several more interviews in the pipeline, we aim to give learners this extra boost (and broader context) as they go through the course alongside their virtual cohort.
These videos will be available globally. As Justin has mentioned, we want to see growth of talent across the various jurisdictions where group companies operate.
: There is no endpoint for us. We want to get a good number of learners in and educate people in a fun and effective way. If we see that we can get people to conduct privacy reviews as part of their jobs and really be proactive in implementing our privacy philosophy - that will be a significant step forward in our privacy by design journey as a group.
Share this story