Rapid technological development coupled with a proliferation of privacy laws continues to keep data privacy and security top of mind for the C-suite.

For a technology company like Hewlett Packard Enterprise (HPE), it is imperative we consider privacy and security both in the design of products and solutions for customers and in the assessment of third-party technology we use to run our business. As chief privacy officer at HPE, I have partnered with our business teams to support privacy-by-design practices that help the company develop and use technology in a way that meets the compliance requirements of the business and our customers.

About the author

Amy Holcroft

Amy Holcroft is chief privacy officer at Hewlett Packard Enterprise (HPE) and leads the company’s Privacy and Information Governance Office within the Ethics & Compliance Office. Holcroft supervises an international team of attorneys and compliance professionals managing HPE’s global privacy and information governance programs. These include GPDR and CCPA compliance programs, binding corporate rules, and APEC Cross Border Privacy Rules.


Holcroft is currently leading the establishment of a set of AI ethical principles to enable HPE to use and develop AI with beneficial outcomes for all stakeholders. She has specialized in privacy law for over 15 years, with a prior focus on corporate and commercial law.

Privacy by design requires the consideration of privacy and data protection early in the design phase and lifecycle of any product or process so that privacy protections are built in from the outset. When privacy and security are late-stage checkpoints in the development process, significant risk and cost consequences can occur.When addressed early in the development or adoption process, conversely, overall outcomes are improved dramatically.

At HPE and Aruba, an HPE company, we get ahead of the privacy curve through the adoption of privacy by design in our product development process. A great example of this came to light during the pandemic as we worked to deliver a technology solution to our customers to enable them to bring their employees back to physical locations in a safer manner. Using our background in network-based location services, our technical teams were able to support key contact tracing and workplace analytics use cases.

As part of this initiative, my team worked with Aruba’s Office of the Chief Technology Officer to build data minimization, pseudonymization, secure storage, and access controls and deletion into contact tracing. This collaboration has enabled us to deliver a technology solution with privacy and security features that will help our customers conduct internal risk assessments and meet their compliance requirements.

Privacy by design can take many forms to be adapted to fit an organization’s needs, but there are three main requirements for to ensure success.

  1. Executive buy-in. First and foremost, you need your executive leaders and key stakeholders on board. They need to understand the fundamental importance of privacy risk management and the adverse impacts of getting it wrong. This could be regulatory fines, lost revenue, or reputational damage. From this foundation, you can demonstrate the benefits of privacy by design to internal risk and compliance management and as a competitive differentiator with customers.
  2. Operationalization. You need to turn theory into practice through the development of tools and guidelines which help build privacy into a product, solution, or business process. These will need to adapt to the different requirements of your teams. Working within an existing business process can expedite and simplify adoption. For example, when working with product developers, create training and guidelines that can be incorporated into product design and lifecycle management processes with minimal incremental effort.
  3. Expert support and partnership. Ensure the business has access to privacy experts who they can partner with for additional support with complex, high-risk, or novel use cases. Within HPE, we have developed a process called Privacy Impact and Compliance Assessment (PICA) to support this. It is accessible via an online portal so that anyone at HPE can easily engage the privacy office for advice on risks and mitigation actions.

Once established, it is important to recognize the need for a dynamic and iterative approach to privacy compliance processes—similar to security. As you expand privacy-by-design processes and include more teams within your organization, your privacy practice and culture will evolve and mature. At HPE, even though the U.K.’s General Data Protection Regulation only requires privacy impact assessments for certain higher-risk types of processing, we use our PICA process to manage privacy risk and demonstrate compliance more broadly.

As you continue down the path of your security and privacy journey, a preemptive, privacy-by-design approach can produce the combined benefits of lower costs, higher levels of data protection and compliance, and happy customers.