Let’s Talk Privacy & Technology Episode 5: Building Privacy Into Cybersecurity Products with Paola Zeni
As part of my fellowship with Santa Clara Law’s leading privacy law program, I’m curating the Let’s Talk Privacy & Technology video series. Each episode features a privacy expert, practitioner, academic, or innovator. We discuss the intersection of privacy and technology, covering topics ranging from privacy engineering, privacy enhancing technologies (PETs), and data ownership, to data ethics, privacy tech, cybersecurity, and more. I publish episode notes in this blog, including this post dedicated to episode 4. [Episode 1 is available here; episode 2, here; episode 3, here; and episode 4, here.]
Episode Description
This episode, I reunite with Paola Zeni, Senior Director of Privacy at leading cybersecurity company, Palo Alto Networks, to talk about building privacy into cybersecurity products, what that entails, and the tools that B2B companies can use to decrease privacy-related friction in deals.
Episode Takeaways
- On the distinction between privacy and security: [I previously shared my take on the distinction between privacy and security in Episode 2. In short: Information privacy is concerned with the collection, use, dissemination, retention, and other processing of personal information, including the associated individual rights that empower individuals to take control over their personal information. Whereas, information security is concerned with the confidentiality, integrity, and availability of information (not just personal information, but also trade secrets, intellectual property, and other information that warrants securing) and the systems that process such information.] We both agree that the intersection lies where security is needed to maintain privacy by protecting personal information. Paola adds the following observation: From an organizational standpoint, the privacy function is often — although not always — in Legal, whereas the security function is oftentimes its own function or within IT. Paola observed how information security is a more mature domain than privacy in terms of audit controls and risk assessment methodologies, and that she’s learned from security on these points and incorporated them into her own privacy practice.
- On security as a legitimate interest for processing personal data: It’s noteworthy that security is considered a legitimate interest in data protection laws such as the EU’s GDPR. This means that cybersecurity companies have an additional legal basis for processing personal data in their products, and they don’t have to rely on consent.
- On building privacy into cybersecurity products: Paola shared her goal of building customer trust in Palo Alto Networks’ cybersecurity products. To her, this means ensuring that customers don’t feel like they have to make a privacy tradeoff in order to have security. There are two ways to demonstrate to customers that a company has struck the right balance between privacy and security, and thereby gain their trust: internally and externally.
- On what the internal product privacy work looks like: Internally, privacy has to be a part of the product development process. This means designing and engineering privacy into the product. This can be accomplished by creating a framework for engineers to think about and weave privacy into the product development process. One example is to create a privacy decision framework on top of the existing product development lifecycle process that the engineering and product teams already follow. This forces them to think of privacy decisions they’re making as they develop products. For example, engineers often have to make decisions about data minimization, which entails ensuring that the product does not collect or store more data than is necessary for the purpose of customer security. Without a privacy decision framework, engineers can overlook data minimization decisions during product development, which in turn could create privacy risks.
- On publicly evangelizing the internal product privacy work: Externally, a company can demonstrate their privacy posture and foster customer trust through different privacy evangelization initiatives. For one, B2B companies can deploy product privacy data sheets. They can also author privacy-related white papers, FAQs, and other privacy collateral and make these publicly accessible to customers and prospects in a “Trust Center,” along with security-related collateral and other product certification information.
Episode Theme: Product Privacy Data Sheets
Paola and I explored product privacy data sheets in this episode. We subsequently co-authored an entire article about them, including what they are, their elements, and why B2B companies should leverage them to create privacy business value.
Episode Links
- This episode is available on Santa Clara Law’s YouTube page.
- Paola is on Twitter and LinkedIn.
- For upcoming episodes, check out the Let’s Talk Privacy and Technology series page on the Santa Clara Law website.
