What/How Does Privacy Affect My Job?

Change is constant in the technology sector, and professionals working in tech are continuously called on to integrate new processes and ways of thinking to stay abreast of their field. A case in point is privacy. If you entered the workforce a decade ago in any number of tech-related tracks, privacy and processes to protect may have been a topic of passing interest. But with the emergence of the GDPR, the CCPA, and other landmark pieces of legislation, privacy concerns have become a pivotal part of development space and beyond. This article provides a quick-hit synopsis of how different roles in technology organizations are impacted by renewed focus on user privacy in jurisdictions all over the world.

DevOps:

Teams must now incorporate privacy considerations into the development process while trying to balance ongoing pressures for speed and agility. The SANS institute suggests a number of best practices that DevOps teams can use to stay privacy compliant while working efficiently. Here are the most crucial:

  • Streamlined Access Control: Business processes and systems must ensure only authorized users can access sensitive information. Session management tools like tokens and timeouts should be used to protect against unwanted access.
  • Error Handling and logging: DevOps teams must store data logs securely and track all administrative activity, plus all inbound and outbound data processing activities.
  • Continuous Integration: DevOps teams should build authentication, password management and other security features into code, and incorporate automated security scanning into the delivery process.

UX:

The key principle that has emerged in the UX space is “privacy by design.” this principle was developed in the 1990s by Dr. Ann Cavoukian, and contains seven principles that set out the way that privacy features can be embedded into the very fabric of a software product. The framers of the GDPR had such regard for Dr. Cavoukian’s work that they made “privacy by design” a key tenet of their legislation. Below are the seven principles of privacy by design that UX professionals most now incorporate into their work:

  • Proactive not reactive: preventative not remedial
  • Privacy as the default setting
  • Privacy embedded into design
  • Full functionality: positive-sum, not zero-sum
  • End-to-end security: full lifecycle protection
  • Visibility and transparency: keep it open
  • Respect for user privacy: keep it user-centric

Product:

Product managers have more responsibility than most for ensuring that their organization heeds new privacy regulation. They’re ultimately responsible for product quality, and if that product is running in a non-compliant way, it’s in essence a defective product. Fortunately, product managers have resources across the organization to help ensure that they’re staying up-to-date with privacy reform. In her guide to GDPR mastery for Product Managers, Karen Cohen runs through a set of organizational processes that should be employed to protect from privacy violations:

  • Work closely with legal teams: it’s their responsibility to understand the regulations and how they might impact your product. It’s the product manager’s job to translate their opinions into actionable steps for different stakeholders in the business.
  • Research and Compare: domain knowledge is important. So is competitor research. How are other businesses in your sector handling information access requests? What do their opt-in and opt-outs look like on site? These are breadcrumbs your business can follow on a path to privacy success.
  • Establish clear ownership: If you have a big complicated product, it’s impossible for a single person to have granular privacy oversight throughout the system. That’s why it’s important for product managers to establish clear roles and areas of ownership, including a structure of command to help support the activities of the GDPR-mandated Data Protection Officer. Building this company infrastructure from scratch is undoubtedly a challenge, but in the long-term this purposeful delegation will beat ad-hoc process every time, and leave your business less vulnerable to breaches and violations.

This Article is Republished from our Privacy Magazine – To read more, visit Privacy.dev

Data Security: 4 Ways Your Team Can Do Better

Data Security: 4 Ways Your Team Can Do Better

With all the breathless news coverage of high profile data breaches in recent years, one could be forgiven for thinking data heists are always the result of sophisticated efforts by devious hackers in far-off lands. But the reality is much more plain. According to a recent study by Securis, 25% of data breaches are caused by simple employee error. So if your team is spending all its time trying to anticipate black swan events, it can overlook the everyday safeguards necessary to keep its data secure in a fast moving business environment. In some jurisdictions such as Europe, the day-to-day management of an organization’s data security processes must be overseen by a designated Data Protection Officer. But whether you’re a large organization operating in GDPR territory, or an SME preparing for greater data regulation such as in the US with California Privacy Law (CCPA) in January 2020, below are 4 actionable steps your team can take to do the basics right:

Continue reading “Data Security: 4 Ways Your Team Can Do Better”

If You Do Nothing Else to Be User Data Privacy Compliant, At Least Remember These 3 Things…

If You Do Nothing Else to Be User Data Privacy Compliant, At Least Remember These 3 Things…

Just a few short years ago, the idea of User Data Privacy Compliance on the internet was as dubious as the idea of Miranda Rights in the Wild West. Back then the web was (and many would argue still largely is), an adolescent medium growing at supernova speed. Boundaries were only being discovered long after pioneers had traversed past them, and regarding personal data, the frontier mindset was prevalent: if you could catch it, you could keep it. But in recent years, this particular aspect of online exchange has finally begun to experience welcome regulation. Now there are real consequences for actors that fail to follow regulatory requirements in the collection, storage, and exploitation of personal data.

The GDPR in Europe is the most widely-known and powerful piece of data regulation, but it’s important to realize that many of its tenets are soon to be adopted, in one form or another, worldwide. In California, the CCPA will come into effect January 1, 2020. India is currently finalizing a far-reaching data privacy bill. In Brazil, the LGPD will become the law of the land some time in early 2020. For businesses all over the world, the need to be user data privacy compliant will only grow more important. So, let’s assume that you aren’t yet able to pore over the fine print of each piece of legislation to ensure you’re in compliance…what are some general steps you can take to protect your business from falling afoul of the regulator?

Continue reading “If You Do Nothing Else to Be User Data Privacy Compliant, At Least Remember These 3 Things…”