Historically, user data privacy has been considered largely a legal or security concern, and not prioritized until an unfortunate breach or leak. In the not-so-distant past, engineers would often connect with legal or security teams as a final step in the development process to discuss data capture, logging and access parameters, making data protection an afterthought, rather than a roadmap to guide projects from the get go.
Today, we are seeing more technical teams stepping into the spotlight to implement meaningful change, enhancing data protection measures early on to align protocols between engineering, security, legal and data governance perspectives. In 2020 and beyond, responsibility for privacy through data protection will expand beyond security and legal teams to include engineers and product stakeholders, ensuring privacy through data protection becomes a core value across the organization.
However, putting these user-oriented data protections at the core of an organization requires transparency, trust and buy-in from all relevant stakeholders as well as continuous collaboration and optimization. For many organizations, this represents a paradigm shift.
The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) reflect change in protecting individual consumer privacy online, but they are a result of the game of catch-up that the industry has been forced to play. To successfully make this shift, engineering and legal departments must be prepared to create and commit to a continuous collaborative workflow between their two worlds, in the pursuit of proper data governance and corporate protections that are much better suited for long-term collaboration, trust, and sentiment between companies and users.
Of course, the best way to ensure data protection for privacy is to collect no data in the first place, but if an organization simply cannot operate its core business within a zero-data-collection world, there are some protocols, processes and programs that can help put data protection by design in place.
Effective data protection is more than checking boxes off a list. First, enterprises must determine why they are keeping personal data. For each category of personal data they are collecting, there should be a defined reason that is transparent to the customer. Once agreed upon, they can build a process for the “how” of data protection that goes beyond a simple checklist. A holistic process that informs the entire cross-functional workflow and resulting products and programs is essential.
Most importantly, data use must be balanced against the protection of the individuals whose information is being collected. Architects can then take on a privacy-focused perspective as they review stories with product and develop plans for implementation with engineering.
During the design phase of a new product, service or program, or while making major changes to existing ones, be sure to consider the following eight questions before development begins:
- What kind of data are you generating, accessing or collecting?
- Do you need to collect all of this data, and if so, can you mask personally identifiable information (PII), or limit your collection to only what is necessary?
- What systems will access or share this data, and are those systems appropriately managed with minimum access?
- When granting access to others, can you limit what data is shared or transmitted?
- Where and how is the data stored, how long will you keep it and how will you programmatically manage retention and deletion of this data?
- Are there logs of data access and modification and if so, where? And for how long are they stored?
- How would your organization satisfy a deletion request when storing PII?
- What ways can you track and programmatically generate answers to these questions?
- Answers to, and resulting policies for these questions are a great starting point for teams beginning to think more purposefully about data protection within their organizations. As these discussions ensue, it’s also important to set expectations with all parties involved. A common fear among developers when it comes to implementing data protection is that doing all of these things will slow down their progress. But investing in the creation of a secure process that works for your entire organization results in a better foundation for your product from day one.
A Governance Program
Once your organization has answered the “why” and “how” questions for data collection and protection, it’s time to set up an ongoing program that reinforces those processes and policies through regular education and training. Program goals should be organization-wide and cross-functional and should reduce ambiguity wherever possible. Setting clear definitions of personally identifiable data, and establishing and inspiring stewardship and sponsorship, are all critical components for driving understanding of these elements and buy-in by all stakeholders, aka, everyone in the organization.
Ultimately, the program should convey data protection-related information and decisions across the entire organization while clearly communicating these principles and processes with customers and prospects through regular policy reviews.
2020 and Beyond
By implementing a data protection by design approach, both before and during product developments, organizations will build more trust with customers and end users, and curtail risk of future privacy-related conflicts.
Data protection by design doesn’t just belong to software designers, developers and operators, but needs to be taken on by the whole organization. As companies shift their perspective on data protection and embrace a model that takes action at the design phase, the web will become a space where users understand and can control more of their data online.
How are you reaching your privacy goals for 2020?
The post "Data Protection by Design: Eight Questions to Help Protect User Data from the Start" was first posted on Security Magazine, written by Lisa Phillips.