Privacy

Mosaic has a team of privacy experts who can help you understand and comply with local and international privacy regulations.
We work with clients to navigate their privacy obligations and challenges and identify pragmatic solutions that improve privacy practices. We are passionate about helping businesses protect the privacy of their customers and employees.

Regulatory Response

The laws and regulations related to privacy and data protection are constantly changing. It is important to keep abreast of any changes in the law and to reassess how compliance with it can be achieved and maintained.

We provide advice on a number of legislative and regulatory requirements, including the New Zealand Privacy Act and the EU General Data Protection Regulation (GDPR). We are not lawyers, instead our advice focuses on how you can translate legislative and regulatory requirements into pragmatic, working solutions within your organisation that align with your risk appetite.

We offer a series of readiness assessments so organisations can see how they meet particular laws and regulations such as the New Zealand Privacy Act, and GDPR. These assessments provide an overview of where the organisation currently stands and recommendations for improvement.

For government and some private organisations, we also offer Privacy Maturity Assessments using the GCPO developed Privacy Maturity Assessment Framework (PMAF). The outcome of these assessments includes a roadmap for how increases in maturity may be achieved.

We assist organisations to develop policies and procedures to protect personal information. A key service is assisting organisations to redevelop their privacy impact assessments (PIAs), with many clients opting for automation of the process. This is often coupled with developing processes and procedures for data mapping. We provide certified OneTrust staff to assist with implementations of OneTrust to support PIAs, Data Ethics Assessments, data mapping, breach reporting and Privacy Act requests.

Privacy by Design

Mosaic is a privacy by design consultancy that helps organisations in the financial sector and beyond implement privacy considerations into their projects.

Mosaic has assisted a bank with all of their technical projects, including the use of data analytics, machine learning, and artificial intelligence. They are also assisting in the development of a facial recognition solution for a non-financial client.

A typical deliverable from a Mosaic privacy by design engagement is a Privacy Impact Assessment (PIA). PIAs are a tool that helps organisations identify and assess the privacy risks of their projects.

What is Privacy by Design?

Privacy by Design is a framework for embedding privacy into the design and operation of IT systems, applications, and business practices. It is about more than just securing information; it is also about putting the interests of the individual first.

Privacy by Design takes the view that privacy cannot be assured solely by compliance with regulatory frameworks. Instead, it argues that privacy must become an organisation's default mode of operation.

Why it’s important to build in Privacy by Design

Privacy by Design (PbD) is an approach to information privacy that emphasises the importance of privacy from the outset of your project’s design, be that a product, system or process. By building privacy into the project from the start, organisations can minimise privacy risks and build trust with their users.

There are several benefits to taking a PbD approach, including:

  • Early identification of privacy risks. By considering privacy from the start, organisations can identify and address privacy risks early in the development process, when they are easier and less expensive to fix.
  • Increased awareness of privacy. PbD can help to raise awareness of privacy issues across an organisation, leading to better decision-making about privacy.
  • Compliance with privacy regulations. PbD can help organisations to comply with privacy regulations, such as the General Data Protection Regulation (GDPR).
  • Building trust with users. By building privacy into a project from the start, organisations can build trust with their users, who are increasingly concerned about the privacy of their personal information.

In addition to PbD, Privacy Enhancing Technologies (PETs) can also be used to increase privacy within an organisation. PETs are technologies that can be used to make it more difficult to collect, track, and analyse personal information. By using PETs, organisations can meet privacy regulations, minimise privacy risks and build trust with their users.

Mosaic Privacy by Design Services

We recognise that no two organisations are the same. Many do not have privacy by design embedded across their businesses or struggle with late privacy engagement.

Our privacy by design approach provides you with a pragmatic, business-relevant framework. We leverage the principles to assist the application of privacy within an organisation, but we are not rigidly wedded to them. Privacy by design should not compromise business goals.

For example, privacy by default helps to establish a privacy by design culture in your organisation. It also lowers your information security risk profile, making breaches less damaging. Visibility and transparency help build trust with consumers.

Our privacy by design services are consultative by nature. We work with you to understand your business, how personal information is utilised, and what your typical information lifecycle looks like. Only then do we develop an approach to apply the privacy by design principles across your information lifecycle in a manner that supports your business now and in the future. This is customised to maximise the opportunities for your business.

We also ensure that any legislative or regulatory obligations are factored into the design.

Privacy Risk and Governance Services

Information privacy is critical to organisations. Good privacy practice is more than a compliance or regulation discipline. Organisations should be integrating core privacy by design considerations into project management and risk management methodologies and policies.

Mosaic provides practical and pragmatic privacy solutions that can cover the entire lifecycle of personal information and meet your individual business needs. Our privacy risk and governance services leverage privacy by design principles, translating the myriad of privacy regulations and requirements into deliverable, pragmatic, business-relevant solutions.

Our privacy risk and governance services include:

  • Creation of Programme Privacy Impact Assessments (PPIAs)
  • Creation of Project Privacy Impact Assessments (PIAs)
  • Provision of privacy advice for programmes and projects
  • Third party risk assessments
  • Privacy control reviews and audits
  • Privacy maturity level reviews
  • Privacy Maturity Assessments and Framework (PMAF) returns
  • Development of privacy statements
  • Development and assessment of privacy requirements for RFPs.

Strategy and Policy Development

A well-defined and implemented privacy strategy is essential for any organisation that collects or processes personal information. Mosaic's strategy and policy development services can help you create a privacy strategy that meets your specific needs and ensures compliance with relevant regulations.

Privacy should be seen as a strategic asset, not a compliance burden. We will work with you to make privacy a part of your culture and ensure that it is embedded in your everyday operations.

Privacy Impact Assessment

A PIA is a tool used by Mosaic to assess privacy risk within an organisation. It is typically used to:

  • Identify whether a project is likely to impact on the privacy of individuals affected by the project.
  • Aid with decision-making about how to manage privacy risks.
  • Check whether a project is likely to comply with privacy laws.
  • Serve as a reference point for future action as the project or business requirements change.

When to complete a PIA

A PIA can be undertaken at any time in a project's lifecycle. However, we recommend that the initial PIA be undertaken in the early stages of a project, to provide guidance on what the big risks are and what the options are for responding to them. Later in the project, the PIA can be revisited and updated to ensure that no new risks have become apparent and that the planned controls have been implemented.

Mosaic's approach

Mosaic recognises the need for practical privacy solutions that can cover the entire lifecycle of a project and meet the individual needs of each organisation. We offer a flexible and tailored approach to PIAs, and we work with you to ensure that the PIA is a valuable tool for managing privacy risk and complying with privacy laws.

Waterfall or Traditional Privacy Impact Assessments 

For waterfall-based projects, we recommend conducting a privacy threshold assessment early in the project, ideally during the definition stage. This will determine if personal information is involved and whether the level of risk warrants a full PIA.

A PIA can be undertaken at any time in a project’s lifecycle, but we recommend doing it early on to identify and address privacy risks before they become costly or cause delays. We have multiple clients who engage our services during project kick-off for this reason.

Another advantage of our approach is that the project team has a privacy resource they can contact at any time to bounce ideas off, which allows for greater informed decision-making.

Agile Privacy Impact Assessments

The traditional approach to PIAs may not work well with agile projects and often causes delays in a continuous release program.

For agile projects, we use a similar methodology as for a waterfall project to determine the risk and controls. However, we start with the PIA covering the minimum viable product (MVP). As things rapidly change in agile, we ensure that the PIA is reviewed and updated every increment and changes are discussed with the business owner.

When reviewing/updating the PIA, we only focus on the areas that have changed since the last version. This reduces the time required per iteration to complete the update and ensures the PIA remains as accurate as possible at any given point in time.

Maturity Assessments

The Privacy Maturity Assessment evaluates an organisation's readiness for specific laws and regulations, such as the New Zealand Privacy Act, GDPR, or others. It provides an assessment of their current maturity and recommendations for improvement in order to achieve and maintain compliance.

Our two most popular assessments cover:

  • The New Zealand Privacy Act (including the new 2020 amendments)
  • The GDPR

The Privacy Act 2020 Maturity Assessment helps organisations understand how to achieve and maintain compliance with the updated Privacy Act 2020, which came into force in December 2020. A privacy consultant will analyse the evidence provided and rationale for your answers and create an individualised report with detailed recommendations and a prioritised work plan.

Privacy Management Services

What is Privacy Information Management?

Privacy Information Management (PIM) is a set of strategies, plans, policies, tools, and other practical controls that help organisations manage their personal information in a way that complies with privacy regulations and standards.

Privacy Information Management is concerned with how organisations collect, process, store, and dispose of personal information. It also includes measures to protect personal information from unauthorised access, use, or disclosure.

Why it is important to implement a Privacy Information Management System?

A Privacy Information Management System (PIMS) is a system that helps organisations manage their personal information in a way that complies with privacy regulations. A robust PIMS has many potential benefits for organisations:

  • Compliance with privacy requirements is costly and burdensome, especially for organisations subject to multiple obligations. These organisations must reconcile, satisfy, and stay up-to-date with a variety of requirements.
  • Reduce operational and overhead costs for Privacy Officers or Data Protection Officers (DPOs) and provide them with evidence to satisfy stakeholders, senior management, owners, and authorities that privacy requirements are being met.
  • A uniform evidence framework based on international standards is essential for communicating privacy compliance to customers and partners.

Mosaic Privacy Management Services

Mosaic can assist you with your privacy information management journey:

  • We will identify personal information in your organisation, as well as the compliance and regulatory requirements that apply.
  • We will focus on implementing and configuring the systems and tools you need to manage these requirements.
  • We will provide you with day-to-day visibility and awareness of your privacy environment, including incidents and breaches.
  • We will help you manage individuals interacting with you for aspects such as consent management, cookie management, and privacy requests.
  • We will provide you with reports from the systems to inform key stakeholders of the status of privacy compliance.

Our privacy management services help you design, engineer, and operate the systems and tools you need to manage privacy information on a daily basis. We also help you achieve, monitor, and report on privacy compliance and regulatory requirements.

Project Implementation

Mosaic believes that privacy is an enabler, not a barrier, for organisations. Privacy should be transparent, simple to understand, and easy to adopt. This is the only way to go beyond compliance and build trust with the individuals whose information you are responsible for.

We understand that privacy solutions need to be tailored to meet an organisation's individual needs and risk appetite. Our services are modular and can be used at any point in your project, from initial design to ongoing risk management.

We leverage Privacy by Design throughout our services to ensure that your organisation's privacy requirements are met in a practical way, while also aligning with legislation and best practices.

A collaborative approach 

We understand that every organisation has different needs, strategies, and tolerances for risk. That's why we take a collaborative approach to privacy consulting. We work alongside your team to ensure that all stakeholders are engaged in the process and that the best outcome is identified for your organisation.

We typically achieve the best results when our Privacy Consultants are seen as a logical extension of your existing team. This allows staff and stakeholders to trust us and consider us as a trusted advisor on matters concerning privacy.

Ability to Scale and be Flexible

The ability to scale privacy resources is essential to meet deadlines and milestones. The privacy community is small, so we can provide a responsive virtual team with the expertise and qualifications to ensure a quality outcome.

Applying learnings

We work with organisations with unique requirements and environments, but the fundamental privacy principles are similar. We apply learnings from other projects to new engagements with permission, so customers can benefit from the wider community of knowledge.

Find out more. Get in touch today.