by Stuart Lee, Chief Privacy Officer, VMware & Annie Lin, Senior Director, Business Strategy, VMware
Privacy by Design principles can unlock digital agility.
Digital agility has never been more important. Good data handling practices are increasingly important for agility. With data breaches becoming an alarmingly common headline these days, it is no surprise that we keep seeing new privacy regulations and industry requirements being introduced. To efficiently address these ever-changing compliance requirements, many organizations are being motivated to develop a comprehensive strategy for modern app development, both in terms of how new apps are developed as well as how legacy apps can be modernized.
In the following sections, we will discuss how to develop a set of privacy principles for your organization and why embracing this at the inception of app development is critical to proactively address privacy, compliance, and security risks. The concept of Privacy by Design (PbD) will guide us along this journey.
Designing apps with ‘Privacy by Design’ controls
Embedding strong security and privacy controls at the design stage of a product or service through Privacy by Design (PbD), and revisited through every stage of the development lifecycle, will help ensure that privacy is not an afterthought that only gets addressed once the system is in production. Failure to address privacy issues proactively could lead to an increased risk of security vulnerabilities, non-compliance with privacy requirements, and erosion in customer trust.
For example, when the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) requirements were introduced, it was challenging for many organizations to integrate these new requirements quickly because their apps were built with a monolithic architecture. This led to ‘bolting on’ of solutions such as manual processes, making risk-based exceptions, and adding expensive third-party solutions to demonstrate compliance. This made clear the imperative to build apps armed with controls that enable organizations to mitigate risk and quickly adapt to future requirements. Doing so would yield other tangential benefits such as reducing the time and cost associated with remediation and other privacy risk management activities.
The intersection of app development and PbD
Building trust and brand protection are common needs for technology leaders. Combining data privacy and security risk prevention practices can enhance end-to-end data protection and make privacy the default setting. For policies to be actionable, it is important for executive teams to partner and utilize their unique expertise to ensure their organizations stay ahead of regulations, industry requirements and business needs to adopt and implement PbD principles to protect their users’ data.
Importantly, by instilling trust through privacy-centric data handling practices, PbD can also strengthen relationships between these internal and external stakeholders. With constantly evolving privacy-related regulations and requirements, it is critical that organizations operationalize PbD across their apps and unify compliance, privacy, and security. The combination of these efforts will enable organizations to deliver a nimble digital transformation strategy.
Leading practices in creating privacy principles
Developing a set of guiding privacy principles for your organization can help your development teams, product managers, and other internal stakeholders to incorporate “Privacy by Design” into your product development process. Failure to follow these principles could lead to foundational gaps in how, and how quickly, privacy-related issues can be addressed going forward.
While laws and regulations vary, commonality can be found in four guiding principles:
1. Minimize data collection and usage.
Careful consideration of what personal data is collected, used, stored, shared, and why these data elements are necessary, is the first step every software developer should take when adopting “Privacy by Design.” The objective of this principle is to minimize the amount of personal data collected to only those data that are absolutely necessary. Furthermore, once personal data is collected, the processing of the data should be strictly limited to the purpose for which it was collected. For example, app development teams should be asked to consider, during the design and build stages, whether the same result can be achieved by removing individual identifiers. In doing so, this not only reduces the amount of data that organizations need to store and protect but also significantly reduces the risk of non-compliant processing activities.
2. Provide customers privacy controls and choices.
Transparency is a fundamental component to building trust with end-users, including both internal and external stakeholders. This means that the end-user not only understands why their data is being collected but are also provided with a choice over what personal data they can provide unless specific data elements are required by law or for a legitimate business purpose. In addition, the end-user must be able to access the data held about them or request that their data is deleted once it is no longer needed. This helps to drive the concept of “privacy by default,” by placing the individual in control over their data and what they feel comfortable sharing.
3. Protect personal data.
Privacy and Information Security teams must work in close collaboration to protect personal data throughout the data lifecycle. For example, role-based access controls should be implemented to control who can access personal data within a given application. However, the journey to safeguarding personal data also includes a strong vendor management program. Privacy and Information Security teams should work closely with business stakeholders and developers to select vendors and services that meet the organization’s requirements as well as those specific requirements detailed under applicable law.
4. Build in privacy from the start.
It is essential that app development teams think about privacy early, collaborating with Legal and Privacy Operations teams to operationalize privacy requirements. For example, data retention and deletion requirements need to be carefully considered during the design and build stages of apps that will collect and store personal data. By working together, teams can develop novel solutions to remove identifiable data elements and limit the amount of personal data being processed.
Final thoughts
As organizations continue to transform, it is critical that privacy, security, and compliance stay at the forefront of the app development process. Advocating for a PbD and privacy-first approach can ensure organizations develop apps in a manner that proactively anticipates and prevents data breaches, and that enables any new requirements to be incorporated quickly. These actions can then drive a culture that acts with a privacy and security mindset throughout all facets of the organization.
