Best Practices for Agile Privacy by Design

Here is a common privacy issue, a product manager wants to use abandoned cart data to target users and creates a Jira ticket for developers asking them to start sending this information to your marketing SaaS vendor. The original purpose for collecting and using cart data was so that users can easily make a purchase. However, now the product manager intends to use cart data for a different purpose: marketing or ad targeting. In a review six months later, you find this change and wonder why this was not brought to your attention even though your privacy team has put in place a formal “Privacy by Design” process. We have seen this scenario play out in software-driven organizations like a broken record. Far too often, privacy teams fail to embed privacy by design into their development processes.

Privacy by Design

“Privacy by Design” (or PbD) is a concept and set of principles introduced in 1995 by former Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian. It gave privacy professionals across the world a framework to build and launch privacy-respecting products. Since then, PbD has been adopted into modern regulations For instance, PbD is referred to as “Data Protection by Design & Default” in the EU’s General Data Protection Regulation (GDPR) and referenced in the NIST Privacy Framework, ISO27001 Privacy Extension, SOC 2 Privacy, and privacy laws in development (e.g. India, Thailand, etc,).

The defining concept of Privacy by Design is to ensure privacy is embedded in product development right from the design stage to launch. This was a revolutionary approach and worked well in the Waterfall era of development; however, modern software development has moved to Agile and a continuous software delivery model where having a clear design stage in product development becomes tough. For Privacy by Design to work, we need to make sure its implementation is at the speed of agile development.

Privacy is in a Reactive mode

Modern software development means, there are thousands of code changes happening weekly and privacy teams have to figure out the ones that need their attention. Current privacy tooling, staffing, and processes fail when it comes to detecting software changes that break user privacy. Challenges with the current approach:

  1. Privacy sits outside the development lifecycle. At best, the touch we have is at the design stage with a privacy review.

A combination of fast-moving software development and reactive privacy approach could mean either you get to know about a risky feature at the last moment and if you delay or stop it, money is wasted and privacy is not looked at favorably by engineering teams. Worst case these risky features go live without any privacy review and come back to bite you as a consumer complaint or lawsuit. Also, these changes leave behind stale & outdated reports.

Privacy by Design Principles for Agile Development Teams:

At Privado, we believe that for Privacy by Design to work at today’s agile speed of software development, organizations will need to follow the following principles:

  1. Give Privacy teams real-time visibility into the software development lifecycle (risk visibility);

Introducing Code Scans for Privacy

Our peers in the security industry sometime back faced the same issues where application security testing was not integrated with the development lifecycle. The creation and deployment of Static Security Code Scans created a moment of Shift Left for Security and DevSecOps where security vulnerabilities and issues were discovered at the start of development and got fixed. This has evolved to an extent where currently a security code scan test is mandatory before new features are released in the market.

We believe a Static Privacy Code Analysis is the missing piece to implement Agile Privacy by Design in software-driven organizations. Code Analysis for Privacy can achieve the following:

  1. Find Issues: A scan of your applications will be a starting point for you to find issues in your current state. It could be that you are collecting more data than intended, sharing data with third parties that you don’t know of or you don’t have technical measures like obfuscation before personal data is sent to your logs.

From Reactive to Proactive.

At Privado, we have seen these challenges working with software-driven organizations. I vividly remember finishing a 6-month project of data mapping for a large e-commerce company and not being confident answering to the General Counsel if everything is up to date because of the thousands of code changes that became live during that time.

To solve this problem, we have launched a Code Analyzer for Privacy. Our mission is to help software-driven organizations adopt Agile Privacy by Design Principles. We envision a future where code scans for privacy are a mandatory step for software release like security code scans are today. If you resonate with our approach or are curious to look at what we have built feel free to sign up for a demo.