Modern bridge in the sunset
Business Transformation

Innovating Done Right: Leading With Privacy by Design

by Annie Lin, Senior Director, Business Strategy, VMware & Stuart Lee, Chief Privacy Officer, VMware

Businesses must have robust data protection measures while ensuring their products and services remain competitive.

Data is the lifeblood of the digital business. Whether you’re in banking, healthcare, or technology, the use of personal data helps deliver more tailored employee and customer experiences. As a result, businesses need to have robust data protection measures while ensuring their products and services remain competitive amidst increasing regulatory scrutiny.

As we outlined in our article “Future Proof Your Modern Apps Using Privacy by Design,” organizations should develop a set of guiding privacy principles and incorporate them at the inception of app development. This foresight will save you time and extra costs, not to mention improve customer and employee trust. Incorporating privacy considerations during the design stage of the app development lifecycle enables development teams to proactively address privacy, compliance, and security risks.

However, balancing privacy and innovation is a common debate within product development teams. Often, there are two camps: those who want to focus more on innovation and those that want to focus more on privacy. Modern apps address both aspects. Businesses need to balance those two goals and align them in a way that helps them achieve their objectives while also respecting the privacy of users.          

In this article, we’ll share VMware’s privacy principles and how our IT teams have incorporated these principles in their application design from day one. Privacy by Design enables our IT teams to build compliant experiences while mitigating security risks and ensuring adaptability to future requirements. We’ll share a few examples of our mission-critical apps that use large amounts of personally identifiable information and how we are innovating, designing, developing, and testing with Privacy by Design as a core feature. 

VMware’s privacy principles

Privacy principles should be central to all app development teams to ensure agility and timeliness in addressing compliance gaps and business needs. Here’s how our Global Privacy Team adapts these general principles across our IT teams to future-proof modern apps.

VMware privacy by design principles

We minimize what we collect and use.

When creating modern apps, our IT and privacy teams review what personal data is currently collected, used, stored, and shared. Teams also carefully consider the purpose for which personal data is needed. For example, during our development of our Enterprise Privacy Portal, the privacy and development teams collaborated to design processes that required only the information necessary to enable an individual to exercise their privacy-related rights. 

We give our customers privacy controls and choices.

Unless specific data elements are required by law or for a legitimate business purpose, internal stakeholders can choose the personal data they provide. For example, employees can easily update their contact information and other personal data themselves through our HR platform. Also, users can control their transmission of voice data through the mute and unmute options in the VMworld VMware Talk app.

We safeguard personal data.

In close collaboration with our Information Security team, personal data is protected throughout the data lifecycle. The journey to safeguarding personal data begins by selecting vendors and services that meet our requirements. This includes completing security and privacy reviews for new vendors that will process personal data on behalf of VMware. For example, role-based access controls determine who can access personal data within a given application.

We build in privacy from the start.

Our teams recognize the importance of collaborating and co-elevating efforts. Privacy is built into products, services, applications, and business processes from the start and is continually evaluated throughout the data lifecycle. Development teams engage with the Privacy team early on to identify and operationalize privacy-related requirements. For example, teams carefully consider opportunities to minimize data collection or pseudonymize personal data during the data lifecycle, including the design and build stages of applications that collect and store personal data.

Leading with Privacy by Design in VMware’s modern apps 

We manage several mission-critical apps that are built in-house and process large amounts of personal data about employees, customers, or partners. Therefore, creating modern apps that incorporate our Global Privacy principles from the app’s design phase is key to protecting end-user data without negatively impacting usability or performance. Privacy is thereby built into these apps as a core feature, alongside other key priorities, such as user experience.

Below are two custom app examples of how our privacy principles shaped our application design and delivered compliant user experiences while proactively addressing feature updates. 

  • Employee benefits portal: The benefits portal serves as a central repository for employee resources about benefits. Given the sensitivity of employee personal data, our IT team incorporated company privacy principles at the app development stage. Considering privacy at this early stage ensured we were following lawful data processing in accordance with regulations, such as the European Union’s General Data Protection Regulation (GDPR).

    One of the portal requirements was to collect only the minimal data needed for a specific purpose. By doing so, we are following our privacy principles of data minimization and purpose limitation. In addition, we wanted to be transparent with employees about what data is collected, how the company uses data, and restricting the data processing for the portal itself in accordance with our Global Privacy Policy and Employee Privacy Notice.
  • VMware Talk: As we all adapt to new ways of working, so do our conference experiences. Our flagship VMworld 2021 Conference will be remote. To foster a community experience for our attendees and enrich attendees’ networking experience, our Emerging Technologies team developed the VMware Talk app. This social audio platform allows attendees to log in with their VMworld credentials to join one of the event tracks, participate in topic discussions, and even to create their own private spaces to chat. To ensure attendees’ personal data is protected, the App team worked closely with the Privacy team to incorporate key privacy considerations.

    For example, the App team chose to omit recorded conversations, a decision driven by privacy and design considerations. Furthermore, VMware Talk collects only necessary personal data with explicit opt-in user consent and clear language explaining that the data will only be retained for the duration of VMworld and not used for any other purposes. Users also have full control over their audio, allowing them to choose when to join conversations and when to unmute or transmit voice data. Finally, all metrics and monitoring of data is fully anonymized and contains no personal data. All these design decisions follow our privacy principles laid out above.

Final thoughts

Data privacy and security are foundational pillars of customer trust, which is why it is crucial to address these requirements from day one. Developing a set of guiding privacy principles, creating products through Privacy by Design, and engaging privacy and security teams early on is critical to enabling product teams to deliver a compliant, yet superior customer experience. 

Your organization can future-proof innovation design by adopting privacy-centric practices. Taking this proactive approach to privacy within your app development process ensures your organization will not only be able to nimbly adapt to the ever-changing business and regulatory environment, but also be able to deliver on customer expectations and company objectives.