Being Nimble in the Face of Changing Privacy Regulations

How Lean Data Practices can promote trust and prepare your company for regulatory change

Companies, both large and small, grapple with how much data they need to collect. Collecting as much data as possible can, at times, seem like the best strategy to grow and innovate. Although data is a critical tool for growth, more data is not always better and may even be a burden on a company. That is why here at Mozilla we think about our data needs a bit differently. We’ve previously discussed the importance of Lean Data Practices, but now we are truly seeing the benefits of adopting them as we review the provisions of the EU General Data Protection Regulation (GDPR). Our experiences have shown that being smart about data collection early on can actually help a company be prepared to adapt in the future. Adopting Lean Data Practices can be an important part of creating a nimble company that is responsive to regulatory change and consumer concerns.

For those not familiar, Lean Data Practices is a framework designed to help companies think critically about the decisions they make regarding user data. By considering Lean Data Practices, companies can make smart, informed decisions to understand what data they truly need to collect. Lean Data Practices have three components:

• Stay Lean- focus on collecting the data that you need;
• Build in Security- consider the type of data you are collecting and implement appropriate protective measures;
• Engage Your Users- tell your users what data you collect and how you use it.

No two companies or products are exactly the same, so Lean Data Practices recognize that there is no “one size fits all” approach to data collection. For instance, users may not think twice about activating GPS on their phone for navigation, however those same users may push back if they learned that their navigation app constantly tracked and saved their location for purposes unrelated to the service. Lean Data Practices can help companies to avoid problems like this and promote user trust by engaging in a critical evaluation of data needs throughout every stage of product development.

The benefits to adopting Lean Data Practices are not limited to a hope that consumers will gravitate towards products and services that respect their data. Of course that is one benefit, but many of the reasons to adopt Lean Data Practices are firmly rooted in business realities. Simply put, collecting too much data can bloat a company and prevent it from acting nimbly in changing regulatory environments. For instance, Lean Data Practices encourage companies to think through many of the same issues that regulators care about most. The GDPR will require companies to implement privacy by design and conduct Privacy Impact Assessments (PIAs). These processes encourage companies to critically evaluate their data needs. Privacy by design, for example, requires companies to build privacy protections into all new products. Similarly, PIAs require that companies that collect and process certain categories of data to first conduct a formal risk assessment of using that data. While many of the specifics of these requirements have yet to be published, the ultimate goal is familiar: for companies to critically think about their data needs before they collect and store user data. Lean Data Practices help you to do just that.

Good privacy practices are not limited to compliance, though, which is why Lean Data Practices also encourage companies to engage their users by clearly explaining their data practices. Of course, communicating a company’s data practices through a privacy policy is not a new requirement, however, it has taken on new weight under the GDPR. Companies adhering to Lean Data Principles may find the process of understanding and communicating their data needs under the GDPR to be more straightforward. The increased transparency will also help to assure regulators that data collection is done in a way that respects user rights. While some companies may struggle to find ways to demonstrate their commitment to user privacy under the GDPR, companies that have engaged with Lean Data Practices will have already had that conversation.

As with any new privacy regulation, the GDPR is first and foremost the EU’s recognition of the importance and value of protecting individual personal data. Lean Data Practices are a recognition of the same values, but from within a company. Our use of Lean Data Practices helped to guide our thinking through many of these issues long before the GDPR was released, and we are seeing the benefits today. We think that other companies can benefit, as well.