At the IAPP's DPIntensive meeting earlier this year I gave a presentation on the subject, here's the link to the slides.
The main learning is that unless engineering is an equal part in your privacy discussions then you're really just playing at compliance.
Privacy isn't just about privacy policies or long winded legal documents but about education, learning and understanding that everyone depends upon everyone else in order for your business to successfully (and legally!) function.
I wrote about how privacy should be taught earlier with the quote:
It often surprises me that many of the people advocating privacy don't actually understand the things that they're trying to keep private, specifically information. Indeed the terms data and information are used interchangeably and there is often little understanding of the actual nature and semantics of said, data and information.
This is also seen in how we train our staff in privacy aspects - with the dreaded "privacy awareness training":
One thing that came up was the need for training and that privacy awareness training hasn't had the effect hoped for. Given that awareness training is exactly that, is it no surprise that once the, usually, one hour presentation on how we should all care about privacy is made nothing happens?
Actually, everyone is acutely aware of privacy in the first place and privacy awareness training rapidly becomes an exercise in CYA - as security expert Bruce Schneier might have put it - and have no effect whatsoever on the overall quality of development, customer privacy and company culture.
I guess we're still pretty naive about privacy and unless we have a cultural change this naivety will come back to haunt us for a very, very long time with some awful business repercussions.