Here is a common privacy issue, a product manager wants to use abandoned cart data to target users and creates a Jira ticket for developers asking them to start sending this information to your marketing SaaS vendor. The original purpose for collecting and using cart data was so that users can easily make a purchase. However, now the product manager intends to use cart data for a different purpose: marketing or ad targeting. In a review six months later, you find this change and wonder why this was not brought to your attention even though your privacy team has put in place a formal “Privacy by Design” process. We have seen this scenario play out in software-driven organizations like a broken record. Far too often, privacy teams fail to embed privacy by design into their development processes.
Privacy by Design
“Privacy by Design” (or PbD) is a concept and set of principles introduced in 1995 by former Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian. It gave privacy professionals across the world a framework to build and launch privacy-respecting products. Since then, PbD has been adopted into modern regulations For instance, PbD is referred to as “Data Protection by Design & Default” in the EU’s General Data Protection Regulation (GDPR) and referenced in the NIST Privacy Framework, ISO27001 Privacy Extension, SOC 2 Privacy, and privacy laws in development (e.g. India, Thailand, etc,).
The defining concept of Privacy by Design is to ensure privacy is embedded in product development right from the design stage to launch. This was a revolutionary approach and worked well in the Waterfall era of development; however, modern software development has moved to Agile and a continuous software delivery model where having a clear design stage in product development becomes tough. For Privacy by Design to work, we need to make sure its implementation is at the speed of agile development.
Privacy is in a Reactive mode
Modern software development means, there are thousands of code changes happening weekly and privacy teams have to figure out the ones that need their attention. Current privacy tooling, staffing, and processes fail when it comes to detecting software changes that break user privacy. Challenges with the current approach:
- Privacy sits outside the development lifecycle. At best, the touch we have is at the design stage with a privacy review.
- Privacy reviews for each iterative update will slow down the development and are not aligned with the fast-moving enterprise
- Current automated solutions are after the fact, they alert you when data has already entered your system. You are always reacting to it.
A combination of fast-moving software development and reactive privacy approach could mean either you get to know about a risky feature at the last moment and if you delay or stop it, money is wasted and privacy is not looked at favorably by engineering teams. Worst case these risky features go live without any privacy review and come back to bite you as a consumer complaint or lawsuit. Also, these changes leave behind stale & outdated reports.
Privacy by Design Principles for Agile Development Teams:
At Privado, we believe that for Privacy by Design to work at today’s agile speed of software development, organizations will need to follow the following principles:
- Give Privacy teams real-time visibility into the software development lifecycle (risk visibility);
- Proactively catch privacy issues at the start of development (privacy shift left);
- Enable the ability to block new code deployments in the event that changes to the software impact privacy.
- Build assurances into your privacy product and risk reviews by finding deviations from baseline results.
- Automatically update your privacy reports.
Introducing Code Scans for Privacy
Our peers in the security industry sometime back faced the same issues where application security testing was not integrated with the development lifecycle. The creation and deployment of Static Security Code Scans created a moment of Shift Left for Security and DevSecOps where security vulnerabilities and issues were discovered at the start of development and got fixed. This has evolved to an extent where currently a security code scan test is mandatory before new features are released in the market.
We believe a Static Privacy Code Analysis is the missing piece to implement Agile Privacy by Design in software-driven organizations. Code Analysis for Privacy can achieve the following:
- Find Issues: A scan of your applications will be a starting point for you to find issues in your current state. It could be that you are collecting more data than intended, sharing data with third parties that you don’t know of or you don’t have technical measures like obfuscation before personal data is sent to your logs.
- Prevent Issues: Code Scanning for Privacy will continuously monitor code changes and alert the privacy teams for any upcoming privacy issues at the start of software development. Like security scans, a privacy scan can block a software change to become live in case it crosses your risk threshold.
- Fix Issues: For code scanning to work, the issues created by the scans have to be remediated at the speed of development. This means there should be fixes available to the developer or application owners. One huge benefit is that these issues are created at the start of development which allows privacy teams to address them well before their time of release. Apart from early detection, you can also have specific guidance for the change detected by the code scan, example new personal data collection could mean a privacy review gets initiated, in case personal data is being sent to a new data store it could create a control ticket for onboarding to your central data deletion service.
From Reactive to Proactive.
At Privado, we have seen these challenges working with software-driven organizations. I vividly remember finishing a 6-month project of data mapping for a large e-commerce company and not being confident answering to the General Counsel if everything is up to date because of the thousands of code changes that became live during that time.
To solve this problem, we have launched a Code Analyzer for Privacy. Our mission is to help software-driven organizations adopt Agile Privacy by Design Principles. We envision a future where code scans for privacy are a mandatory step for software release like security code scans are today. If you resonate with our approach or are curious to look at what we have built feel free to sign up for a demo.