Building privacy into your products

- In addition to building documentation and an escalation path, another key component of operationalizing a culture of privacy is building privacy into the product development cycle and carefully thinking through the choices you want to provide your customers around their data. This is the concept of privacy by design. Let me assure you that privacy by design is much easier said than done and it takes a team of committed legal, engineering, design, and security folks, but it's an essential part of operationalizing privacy and ensuring that your products stand up to the privacy commitments you've made to your customers. If a product is delayed because of privacy issues that's a clear sign the company doesn't have a culture of privacy. It shows that privacy was an afterthought, rather than a key component of a product's design. One of the toughest challenges facing privacy professionals today is making sure that the privacy implications of a product are considered throughout the design process, rather than slapped on at the end as a legal hurdle that must be cleared. So how do you get privacy taken into consideration from the very inception of the product? Different approaches will work for different company cultures, but one thing I have found effective is attaching privacy questions onto whatever process is currently in place for initiating a project at your company. Every company has some requirements for getting resources to kick off and track a project. It's a good idea to try and add five or six basic privacy questions to that process. You'll want to ask high level questions, like what data the new product or feature will collect? Or how the data will be used? Or who will have access? You should use the answers to these questions to determine whether or not there will be privacy implications to the proposed product or feature. And that's whether or not the privacy team needs to get involved. Second, find someone knowledgeable about privacy to be embedded in projects that have a privacy impact. This person should attend all key meetings around the development and design of the product from its initial stages through to the commercial launch. Ideally, you want this person to be a privacy lawyer or privacy engineer from your team. However, if you don't have the resources this is where launching a privacy champion program that trains folks throughout your organization on how to think about privacy and spot the issues can be really invaluable. A privacy champion sitting within the org that is developing the product can help ask the right questions and pull in the privacy team at key decision points in the development cycle. Third, if you end up relying on folks like privacy champions you may find it helpful to put certain guiding rules in place that address some of the more common issues that arise, such as data minimization, privacy settings, and deletion. These rules will help guide teams on some of the privacy decisions when you may not have enough resources to devote a team member to walk through every step of the development cycle. Fourth, get the teams to think through the user experience. Is this a product that should offer customers an opt out? Or even better, is this a product that maybe so unexpected to customers or could be perceived as infringing on their privacy rights that they would expect to see an opt in when using this product? These are all questions that should be asked as the product is designed, so that you can figure out how best to communicate these choices to your customer. Finally, once a product is complete, but before it's launched you should create a gating process in which security and the privacy team both sign off before the product can go live. The purpose of this final step is to ensure the product complies with all regulatory requirements, is in line with the company's privacy values, and meets your corporation's security requirements. If privacy by design is working properly in your organization this final step should be nothing more than a check the box exercise. If the privacy by design process has failed or not be implemented at all this final step will take some time. So what is the key take away here? Don't make privacy an afterthought. Force your teams to think about it early, at the very inception of a new product, and create clear guidelines that outline your company's approach to privacy, so that product teams understand their objectives.