Eight Strategies to Help Organizations Implement Privacy by Design and Default

New book and course from ISACA share the foundational principles of privacy by design and default

SCHAUMBURG, Ill.--()--Many enterprises’ core activities and business models revolve around gathering and sharing user-related data, but there are often gaps around protecting user privacy and fostering trust—forcing them to take reactive steps to catch up with customers’ privacy expectations and comply with privacy regulations. ISACA’s new publication, Privacy by Design and Default: A Primer, gives organizations and professionals the strategies and techniques to take a proactive approach to building in privacy considerations.

Privacy by design challenges conventional system thinking. It mandates that any system, process or infrastructure that uses personal data consider privacy throughout its development life cycle and identify possible risk to the rights and freedoms of the data subjects and minimize them before they can cause actual damage. Among the privacy techniques and privacy design strategies shared in Privacy by Design and Default are a core set of eight privacy design strategy components, including:

  • Minimize: The personal data processed should be restricted to the minimal amount necessary. For example, only requesting an individual’s birth year rather than the actual birth date should be sufficient for age-restricted services.
  • Hide: Personal data and their interrelationships should be hidden from plain view. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires that only the last four digits of a credit card number be printed on a receipt.
  • Inform: Whenever data subjects use a system, they should be informed about which information is processed, for what purpose and by what means.

Privacy by Design and Default walks through not only the key concepts and foundational principles behind privacy by design, but also topics including cybersecurity and privacy risk, privacy engineering, and privacy protection in IT system design. It also includes a timeline on key global privacy regulations—including the General Data Protection Regulation (GDPR) in Europe, Lei Geral de Protecao de Dados Pessoais in Brazil, and the Amended Act on the Protection of Personal Information in Japan—and their evolution.

“The privacy by design approach ensures that data can continue to be used by enterprises in a way that respects data subject privacy,” says Safia Kazi, ISACA Privacy Professional Practices Associate. “When an enterprise understands how it collects, stores and uses data, this leads to increased confidence and trust in the data on which it bases strategic decisions—and that enhances trust between the enterprise and its customers.”

ISACA is also offering a companion course on privacy by design. This course provides learners with an introduction to privacy by design along with interactive scenarios and knowledge checks to test understanding of privacy by design concepts. Those who participate in this virtual, self-paced course will gain a holistic understanding of privacy by design, including its foundational principles and technology that can support it.

Privacy by Design and Default: A Primer is US $60 for members and $90 for nonmembers and is available in a digital format or in print at https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004Ko9tEAC. The Privacy by Design and Default Online Course is US $49 for members and $79 for nonmembers, and is available at store.isaca.org/s/store#/store/browse/detail/a2S4w000004L1vrEAC. To discuss topics around privacy, visit ISACA’s online Privacy community on the Engage platform. Additional privacy resources, including the Certified Data Privacy Solutions Engineer (CDPSE) credential, are available here.


For more than 50 years, ISACA® (www.isaca.org) has advanced the best talent, expertise and learning in technology. ISACA equips individuals with knowledge, credentials, education and community to progress their careers and transform their organizations, and enables enterprises to train and build quality teams. ISACA is a global professional association and learning organization that leverages the expertise of its more than 150,000 members who work in information security, governance, assurance, risk and privacy to drive innovation through technology. It has a presence in 188 countries, including more than 220 chapters worldwide. In 2020, ISACA launched One In Tech, a philanthropic foundation that supports IT education and career pathways for under-resourced, under-represented populations.

Twitter: www.twitter.com/ISACANews
LinkedIn: www.linkedin.com/company/isaca
Facebook: www.facebook.com/ISACAGlobal
Instagram: www.instagram.com/isacanews


Emily Van Camp, evcamp@isaca.org, +1.847.385.7223
Bridget Drufke, communications@isaca.org, +1.847.660.5554


Emily Van Camp, evcamp@isaca.org, +1.847.385.7223
Bridget Drufke, communications@isaca.org, +1.847.660.5554