Shhh, it's a secret

Data privacy affects us all, whether we create products or use products. Privacy by Design is set of principles every product engineering team should know.

What’s the secret?

Not a week goes by without a data breach being reported somewhere in the world. Data is the currency of the digital world, and everyone wants a piece of that pie. As product and engineering teams, the role of privacy in the SSDLC is often forgotten or not considered because it’s usually covered by legal and compliance. We all know we avoid legal and compliance until we really need to engage with them, so don’t feel bad.

Oddly enough, just like the security teams the legal and compliance folks want to enable product teams to do deliver faster. Shocker, right? That is the secret. Our dear legal and compliance friends want to help us too, not block us.

I Thought that Security is Privacy?

Yes, and no. Privacy is concerned with ensuring that the person who has been granted explicit permissions to specific data has access to that data. Also, the data that is stored should be the same when it is retrieved by the person or system that is allowed to view, edit or interact with that data. We call this confidentiality and integrity of the data which is also simply put, data privacy.

The technology, processes and practices that go into enabling the approved and authorised access to data is what we call data security. Privacy is merely a small part of security as a whole.

Simply put, privacy is the right to use data and security is the mechanisms that protect the data.

Now that we have that distinction out of the way, let’s talk about WHY we want to secure data in the first place.

1. Trust

   1. The tech world is ultra competitive and when it comes to business, data is the thing that may set you apart from your competitors. This becomes one of your most valuable assets, as this data when transformed into something that allows you to make decisions becomes information.

   2. How well an organisation is able to protect the data that it works with builds trust with investors, customers and employees.

2. Regulation

   1. Data privacy regulation across the world has taken more space in tech as regions and industries start to penalise organisations for how well or how poorly they protect the data assets that they are entrusted with.

   2. Data regulators publish guidelines in which organisations need to operate with regards to how they handle, process, transport, store and destroy data. Yup, that’s right, the instituations actually care about the average person and protecting their most valuable asset, the person’s data.

3. Money

   1. Business is there to make money for investors, and so making sure that the data that an organisation has is secured and only made accessible to those who need to know about the data is pivotal to the organisation.

   2. The data can be used as a competitive advantage to create unique value propositions and reach a wider target market with customised or more targeted marketing startegies and product offerings.

There are may more examples of why data is critical to an organisation so I will let you research that now that you get the gist of why data is important to organisations and why protecting it is important. Now let’s get to the fun stuff, some practical steps on implementing data privacy into engineering practices.

Privacy By Design Principles

Developed by Dr. Ann Cavoukian in the 1990s, the PbD principles exist in a response to historical data security failures, as a response to regulation, practical necessity and technological evolution to name a few reasons. These principles can be summarised as:

1. Proactive not Reactive; Preventative not Remedial - instead of waiting for privacy risk to materialise, anticipate privacy issues and prevent them by building privacy protection into your systems from the start.

2. Privacy as the Default Setting - ensure privacy preserving setting by default to automatically protect personal data so that no action is required by the users to protect their data.

3. Privacy Embedded into Design - balance all requirements into your system by integrating privacy into your system architecture and core functionality rather than making it an add-on feature.

4. Full Functionality - Positive Sum, not Zero-Sum - demonstrate that both privacy and other objectives can be achieved by avoiding false trade-offs such as security vs privacy.

5. End-to-End Security - Full Lifecycle Protection - data should be protected throughout its entire lifecycle, from collection to storage, use and destruction.

6. Visibility and Transparency - create accountability and trust by ensuring that operations are transparent and visible through documented processes and policies which are made available to relevant stakeholders.

7. Respect for User Privacy - a user-centric approach ensures that user’s interests are kept as a top priority by enforcing strong privacy defaults and communicating appropriate notices and making use of user friendly options.

   

   Image 1: Privacy by Design principles implementation flow

   Great, now that you know why and how to start approaching by PbD, what practical steps can you take in your products? Don’t worry, I’ve got you covered with a few examples to get you going.

Practical Implementation Examples

Data minimization: Only collect what's necessary

Purpose limitation: Use data only for stated purposes

Access controls: Limit who can see personal data

Encryption: Protect data in transit and at rest

Retention policies: Delete data when no longer needed

User controls: Give users control over their data

Privacy impact assessments: Regular evaluation of privacy risks

Documentation: Clear privacy policies and procedures

There you have it, a short and concise introduction into Privacy by Design to help you get going with building systems that put the most valuable asset in a more secure state.

---

Be Kind. Be Brave. Be You. - MatsTalksTech.