Privacy by Design – What have raisins and data protection got in common?

As lockdown eases, our Director, Clare Paterson, has enjoyed scones in the garden with family. And because data protection is never far from her mind it struck her that the scones represented a great metaphor for what the ICO refers to as “Privacy by Design”. Clare explains here what raisins and data protection have in common:

Let me start by giving you a challenge. I want you to make me some fruit scones, full of lovely juicy raisins, like in the first picture above. The catch though, is you are presented with the already baked plain scones in picture 2, and the bowl of raisins in picture 3. Now, can you use them to make me some lovely fruit scones with the fruit evenly distributed through every bite?

I’m guessing the answer is no. And you’re possibly also thinking “what a stupid thing to ask of me”. But unfortunately this is exactly the magic trick that Data Protection Officers, Consultants and Advisors are asked to perform every day in their work. I’m sure you’ve worked out that the scones are your organisation’s processes and systems, the raisins are good data protection and privacy practices, and the fruit scones are data protection compliant processes and systems.

“The only way to get the raisins evenly spread through the scones is to start from scratch and bake them in, and it is exactly the same with data protection”

If you’re a DPO and you’ve ever been asked to look at a new work process, computer system, policy or anything else, “and just make sure it’s DP compliant”, or been asked “can you just sign off this DPIA?”, please know that you’re not alone and I feel your pain.

If you’re the colleague asking your data protection team or lead to look at an already fully-formed process and asking them to make sure it’s data protection compliant, please PLEASE think about the scones metaphor and understand that you’re asking the impossible.

The only way to get the raisins evenly spread through the scones is to start from scratch and bake them in, and it is exactly the same with data protection, and it’s the meaning of the phrase “Privacy by Design”. We need to bake in the consideration of data issues right from the planning stages whenever we’re even thinking of introducing a new piece of software, policy or new way of doing things.

Let’s leave the scones metaphor for now (because I’m getting hungry!) and I’ll give you a real-life example. Think of an organisation that wants to implement a “no jab-no job” policy. The HR team, Health and Safety manager and IT manager have discussed how they want to handle this, and decided the most efficient way is to use an electronic survey on the website that asks job applicants about their response to having the vaccination. If they answer “no” the survey automatically asks them to explain in detail why they have said no to having the jab.

So the IT Team build the electronic survey and then, mindful that people who answer “no” will likely give reasons including sensitive information, the HR Team ask the Data Protection Officer to look at the new process to check it’s DP compliant. They might say “can you do a DPIA (Data Protection Impact Assessment) on this new process?” even though the process has already been decided on. This is the equivalent of the scones challenge. The process has already been decided on and built – the plain scones. And the DPO is being asked to add good data protection considerations – or raisins – into the scones. It’s probably too late at this point to make a compliant process without starting over; a waste of time and energy.

“If we can get organisations to recognise this and get the DPO on board from the earliest planning stages, we can all work more efficiently.”

Sometimes we are required to carry out a full DPIA, and I am seeing some progress with this happening on high-risk projects and policies, but the data-related risks should be assessed for every new way of working, even if it’s regarded as low risk. You have to do some level of assessment to decide if the work is high-risk enough to need a full DPIA at any rate!

For what it’s worth, I believe the reason that DPOs and people in similar roles are often seen as obstructive is because they’re not involved in projects until the end, or almost the end, and they pick it apart in order to squeeze good data protection practices into it. If we can get organisations to recognise this and get the DPO on board from the earliest planning stages, we can all work more efficiently. Data Protection risks should be considered and flagged right at the start of the project or of drafting a new policy, so it makes sense to include prompts in your project management documentation and in your policy templates, and reach out to your Data Protection advisors right at the start too.

If you’d like support to rearrange the way you manage data-related projects, please don’t hesitate to get in touch: https://cpdataprotection.com/consultancy/

A great starting point is to sign up to our mailing list and receive a data protection health check template tailored for different types of organisations, by clicking below.