The laws and regulations related to privacy and data protection are constantly changing. It is important to keep abreast of any changes in the law and to reassess how compliance with it can be achieved and maintained.
We provide advice on a number of legislative and regulatory requirements, including the New Zealand Privacy Act and the EU General Data Protection Regulation (GDPR). We are not lawyers, instead our advice focuses on how you can translate legislative and regulatory requirements into pragmatic, working solutions within your organisation that align with your risk appetite.
We offer a series of readiness assessments so organisations can see how they meet particular laws and regulations such as the New Zealand Privacy Act, and GDPR. These assessments provide an overview of where the organisation currently stands and recommendations for improvement.
For government and some private organisations, we also offer Privacy Maturity Assessments using the GCPO developed Privacy Maturity Assessment Framework (PMAF). The outcome of these assessments includes a roadmap for how increases in maturity may be achieved.
We assist organisations to develop policies and procedures to protect personal information. A key service is assisting organisations to redevelop their privacy impact assessments (PIAs), with many clients opting for automation of the process. This is often coupled with developing processes and procedures for data mapping. We provide certified OneTrust staff to assist with implementations of OneTrust to support PIAs, Data Ethics Assessments, data mapping, breach reporting and Privacy Act requests.
Mosaic is a privacy by design consultancy that helps organisations in the financial sector and beyond implement privacy considerations into their projects.
Mosaic has assisted a bank with all of their technical projects, including the use of data analytics, machine learning, and artificial intelligence. They are also assisting in the development of a facial recognition solution for a non-financial client.
A typical deliverable from a Mosaic privacy by design engagement is a Privacy Impact Assessment (PIA). PIAs are a tool that helps organisations identify and assess the privacy risks of their projects.
Privacy by Design is a framework for embedding privacy into the design and operation of IT systems, applications, and business practices. It is about more than just securing information; it is also about putting the interests of the individual first.
Privacy by Design takes the view that privacy cannot be assured solely by compliance with regulatory frameworks. Instead, it argues that privacy must become an organisation's default mode of operation.
Privacy by Design (PbD) is an approach to information privacy that emphasises the importance of privacy from the outset of your project’s design, be that a product, system or process. By building privacy into the project from the start, organisations can minimise privacy risks and build trust with their users.
There are several benefits to taking a PbD approach, including:
In addition to PbD, Privacy Enhancing Technologies (PETs) can also be used to increase privacy within an organisation. PETs are technologies that can be used to make it more difficult to collect, track, and analyse personal information. By using PETs, organisations can meet privacy regulations, minimise privacy risks and build trust with their users.
We recognise that no two organisations are the same. Many do not have privacy by design embedded across their businesses or struggle with late privacy engagement.
Our privacy by design approach provides you with a pragmatic, business-relevant framework. We leverage the principles to assist the application of privacy within an organisation, but we are not rigidly wedded to them. Privacy by design should not compromise business goals.
For example, privacy by default helps to establish a privacy by design culture in your organisation. It also lowers your information security risk profile, making breaches less damaging. Visibility and transparency help build trust with consumers.
Our privacy by design services are consultative by nature. We work with you to understand your business, how personal information is utilised, and what your typical information lifecycle looks like. Only then do we develop an approach to apply the privacy by design principles across your information lifecycle in a manner that supports your business now and in the future. This is customised to maximise the opportunities for your business.
We also ensure that any legislative or regulatory obligations are factored into the design.
Information privacy is critical to organisations. Good privacy practice is more than a compliance or regulation discipline. Organisations should be integrating core privacy by design considerations into project management and risk management methodologies and policies.
Mosaic provides practical and pragmatic privacy solutions that can cover the entire lifecycle of personal information and meet your individual business needs. Our privacy risk and governance services leverage privacy by design principles, translating the myriad of privacy regulations and requirements into deliverable, pragmatic, business-relevant solutions.
Our privacy risk and governance services include:
A well-defined and implemented privacy strategy is essential for any organisation that collects or processes personal information. Mosaic's strategy and policy development services can help you create a privacy strategy that meets your specific needs and ensures compliance with relevant regulations.
Privacy should be seen as a strategic asset, not a compliance burden. We will work with you to make privacy a part of your culture and ensure that it is embedded in your everyday operations.
A PIA is a tool used by Mosaic to assess privacy risk within an organisation. It is typically used to:
A PIA can be undertaken at any time in a project's lifecycle. However, we recommend that the initial PIA be undertaken in the early stages of a project, to provide guidance on what the big risks are and what the options are for responding to them. Later in the project, the PIA can be revisited and updated to ensure that no new risks have become apparent and that the planned controls have been implemented.
Mosaic recognises the need for practical privacy solutions that can cover the entire lifecycle of a project and meet the individual needs of each organisation. We offer a flexible and tailored approach to PIAs, and we work with you to ensure that the PIA is a valuable tool for managing privacy risk and complying with privacy laws.
For waterfall-based projects, we recommend conducting a privacy threshold assessment early in the project, ideally during the definition stage. This will determine if personal information is involved and whether the level of risk warrants a full PIA.
A PIA can be undertaken at any time in a project’s lifecycle, but we recommend doing it early on to identify and address privacy risks before they become costly or cause delays. We have multiple clients who engage our services during project kick-off for this reason.
Another advantage of our approach is that the project team has a privacy resource they can contact at any time to bounce ideas off, which allows for greater informed decision-making.
The traditional approach to PIAs may not work well with agile projects and often causes delays in a continuous release program.
For agile projects, we use a similar methodology as for a waterfall project to determine the risk and controls. However, we start with the PIA covering the minimum viable product (MVP). As things rapidly change in agile, we ensure that the PIA is reviewed and updated every increment and changes are discussed with the business owner.
When reviewing/updating the PIA, we only focus on the areas that have changed since the last version. This reduces the time required per iteration to complete the update and ensures the PIA remains as accurate as possible at any given point in time.
The Privacy Maturity Assessment evaluates an organisation's readiness for specific laws and regulations, such as the New Zealand Privacy Act, GDPR, or others. It provides an assessment of their current maturity and recommendations for improvement in order to achieve and maintain compliance.
Our two most popular assessments cover:
The Privacy Act 2020 Maturity Assessment helps organisations understand how to achieve and maintain compliance with the updated Privacy Act 2020, which came into force in December 2020. A privacy consultant will analyse the evidence provided and rationale for your answers and create an individualised report with detailed recommendations and a prioritised work plan.
Privacy Information Management (PIM) is a set of strategies, plans, policies, tools, and other practical controls that help organisations manage their personal information in a way that complies with privacy regulations and standards.
Privacy Information Management is concerned with how organisations collect, process, store, and dispose of personal information. It also includes measures to protect personal information from unauthorised access, use, or disclosure.
A Privacy Information Management System (PIMS) is a system that helps organisations manage their personal information in a way that complies with privacy regulations. A robust PIMS has many potential benefits for organisations:
Mosaic can assist you with your privacy information management journey:
Our privacy management services help you design, engineer, and operate the systems and tools you need to manage privacy information on a daily basis. We also help you achieve, monitor, and report on privacy compliance and regulatory requirements.
Mosaic believes that privacy is an enabler, not a barrier, for organisations. Privacy should be transparent, simple to understand, and easy to adopt. This is the only way to go beyond compliance and build trust with the individuals whose information you are responsible for.
We understand that privacy solutions need to be tailored to meet an organisation's individual needs and risk appetite. Our services are modular and can be used at any point in your project, from initial design to ongoing risk management.
We leverage Privacy by Design throughout our services to ensure that your organisation's privacy requirements are met in a practical way, while also aligning with legislation and best practices.
We understand that every organisation has different needs, strategies, and tolerances for risk. That's why we take a collaborative approach to privacy consulting. We work alongside your team to ensure that all stakeholders are engaged in the process and that the best outcome is identified for your organisation.
We typically achieve the best results when our Privacy Consultants are seen as a logical extension of your existing team. This allows staff and stakeholders to trust us and consider us as a trusted advisor on matters concerning privacy.
The ability to scale privacy resources is essential to meet deadlines and milestones. The privacy community is small, so we can provide a responsive virtual team with the expertise and qualifications to ensure a quality outcome.
We work with organisations with unique requirements and environments, but the fundamental privacy principles are similar. We apply learnings from other projects to new engagements with permission, so customers can benefit from the wider community of knowledge.