For more than 20 years, we have been working with a wide range of organizations to tackle tough
challenges at the intersection of data privacy, security, and technology. Whether building a specific
product, new systems, or a whole company, organizations know they need to prioritize data responsibility
and “privacy by design.” Often though, they don’t know how or where to start or they address privacy too
late in the development cycle or they think of privacy as something to keep compliance happy.
Adding to this challenge, the term "privacy" means different things to different people in different
contexts. At Good Research, we think privacy is a sustained action: it is the ongoing and iterative
practice of developing and implementing policies to manage data responsibly and safely. Privacy is not
the responsibility of one team or one person. It requires the alignment of good policies, good promises,
and good principles from the top to the bottom and across functions within an organization.
We see doing privacy right requires addressing policy, promises, and praxes as key components of a holistic privacy practice. A good privacy practice involves working
to align all three and keeping them aligned.
Policies include what you have to do. Between national and state laws
like GDPR and CCPA to industry regs like HIPAA and COPPA, rules and regulations around privacy are an
evolving landscape. Your policies may be mandated by external regulators, other external bodies, and
internal legal and compliance departments. Where do your organization's policies come from? How are they
Promises are what you commit to your stakeholders about your
organization’s relationship with data. Your promises tell the outside world, your partners, your
customers, and regulators what your intentions are for data and privacy. Your promises can be reflected
in everything from contracts, communications, and the user experience. What are you committing to? How
are you communicating your promises? Do they align with your policies? How do you know?
Praxes are your principles, policies and promises on the ground, what
you're actually doing. Praxis is a big word, it encompasses the process by which your principles,
policies and promises become real. They act as your 'how' and provide actionable instructions about
fulfilling your promises, from the technical architectural design to your relationships with third
parties. An organization may promise to be responsible stewards of data but praxes convey your approach
to that stewardship. How do you implement the organization's policies? How are you held accountable? How
do your praxes reflect what you’ve promised? How do they align with your underlying principles? You
might be surprised to learn that what you're doing isn't what you're supposed to be doing or what you've
promised to be doing.
We are challenging organizations to think of privacy as a practice. Meaning, privacy isn’t ever “done.”
It’s not a clean-up job or a reaction to compliance or a response to harm done. Instead, privacy is the
ongoing, iterative practice of intentionally designing, building, and maintaining data technology that
not only meets users' needs but prioritizes them. Privacy solutions are inherently interdisciplinary,
and addressing policies, promises and principles necessarily overlaps with legal, user experience, data
science, design, architecture and at least as many disciplines.
Our goal is for organizations spanning nonprofits, government, startups, and the biggest, most complex
companies, to be privacy practitioners. They will not only rethink their privacy needs but also reframe
their whole approach to data strategy and value-centered design.
Thanks to Jared Maslin and Jessica Traynor.