Nathan Good & Maritza Johnson
February 2022
Privacy as a Practice

For more than 20 years, we have been working with a wide range of organizations to tackle tough challenges at the intersection of data privacy, security, and technology. Whether building a specific product, new systems, or a whole company, organizations know they need to prioritize data responsibility and “privacy by design.” Often though, they don’t know how or where to start or they address privacy too late in the development cycle or they think of privacy as something to keep compliance happy.

Adding to this challenge, the term "privacy" means different things to different people in different contexts. At Good Research, we think privacy is a sustained action: it is the ongoing and iterative practice of developing and implementing policies to manage data responsibly and safely. Privacy is not the responsibility of one team or one person. It requires the alignment of good policies, good promises, and good principles from the top to the bottom and across functions within an organization.

We see doing privacy right requires addressing policy, promises, and praxes as key components of a holistic privacy practice. A good privacy practice involves working to align all three and keeping them aligned.

Policies include what you have to do. Between national and state laws like GDPR and CCPA to industry regs like HIPAA and COPPA, rules and regulations around privacy are an evolving landscape. Your policies may be mandated by external regulators, other external bodies, and internal legal and compliance departments. Where do your organization's policies come from? How are they developed?

Promises are what you commit to your stakeholders about your organization’s relationship with data. Your promises tell the outside world, your partners, your customers, and regulators what your intentions are for data and privacy. Your promises can be reflected in everything from contracts, communications, and the user experience. What are you committing to? How are you communicating your promises? Do they align with your policies? How do you know?

Praxes are your principles, policies and promises on the ground, what you're actually doing. Praxis is a big word, it encompasses the process by which your principles, policies and promises become real. They act as your 'how' and provide actionable instructions about fulfilling your promises, from the technical architectural design to your relationships with third parties. An organization may promise to be responsible stewards of data but praxes convey your approach to that stewardship. How do you implement the organization's policies? How are you held accountable? How do your praxes reflect what you’ve promised? How do they align with your underlying principles? You might be surprised to learn that what you're doing isn't what you're supposed to be doing or what you've promised to be doing.

We are challenging organizations to think of privacy as a practice. Meaning, privacy isn’t ever “done.” It’s not a clean-up job or a reaction to compliance or a response to harm done. Instead, privacy is the ongoing, iterative practice of intentionally designing, building, and maintaining data technology that not only meets users' needs but prioritizes them. Privacy solutions are inherently interdisciplinary, and addressing policies, promises and principles necessarily overlaps with legal, user experience, data science, design, architecture and at least as many disciplines.

Our goal is for organizations spanning nonprofits, government, startups, and the biggest, most complex companies, to be privacy practitioners. They will not only rethink their privacy needs but also reframe their whole approach to data strategy and value-centered design.

Thanks to Jared Maslin and Jessica Traynor.