Companies and governments are now heavily investing in process automation, robotization and digitalization and are increasingly going digital amid the COVID-19 outbreak. Being locked down at home, working remotely and using online solutions as a result of a pandemic is a clear indication that shifting from “brick-and-mortar” products, services and business processes to their digitalized counterparts could mean the mere survival (e.g., book publishers) or the unprecedented, exponential growth (e.g., online delivery services) of certain companies. Adapting to the new environment is the key to success, as it is likely that the end of this crisis will result in a more rapid booming of the workforce and customers being connected through remote digital solutions by using online services and/or purchasing products through apps.

Digital transformation is about rethinking traditional business processes through and within the context of technologies that profoundly rely on processing data, including personal data, metadata and other kinds of regulated information types. Therefore, businesses must be aware of the related data protection and privacy laws and regulatory requirements relative to the development of digitalized solutions, such as products, services and business processes. Furthermore, they must implement and enforce the relevant requirements throughout the entire lifecycle of the digital solution.

However, if digital transformation is forced because this pandemic pushes traditional businesses out of their comfort zone, business operators may tend to neglect to implement the necessary privacy controls that can lead to bad privacy practices resulting in serious data loss and business reputation issues. Recently, we all have seen that users turn away from and regulators may ban the use of digital services that fail to ensure the appropriate level of data protection and security.

It is good practice to involve the data protection compliance function in the development process as early as possible. When going digital, data protection principles can be best executed through identifiable and documented controls embedding privacy into the design of the digital system, which may include:

  • Initial risk assessments: Prior to identifying specific privacy controls and measures, the business should formally conduct and document a privacy risk assessment (a data protection impact assessment in the EU), which the data protection function may revisit and update throughout the whole development process to oversee and monitor the level of the related risks.
  • Privacy dashboard: Regardless of the output of the initial risk assessment, it is good practice to implement the privacy dashboard function in consumer-facing apps. This is a separate function that can be accessed from a hamburger menu (e.g., being always two taps away for users) where registered users are able to learn the necessary privacy information (e.g. through layered privacy notices, privacy icons or infographics, embedded videos); access consent management functions, as consent requirements may vary from use case to use case, such as direct marketing, the California Consumer Privacy Act or ePrivacy-related requests (e.g., storing application metadata on the users’ device or implementing application usage analytics); and access privacy rights management functions (e.g., to exercise data portability or submit accessibility requests). 
  • Applied language: The language used in the privacy information and consent requests may not force consumers to accept more than necessary use-shaming consent language (e.g., creating guilt or blackmailing the user for missing out on something “important”) or to be blocked from accessing relevant functions within the app. In that regard, the French data protection authority, the CNIL in its report “Shaping Choices in the Digital World” differentiates between abusive, deceptive and dangerous design patterns that the data protection compliance function should be also aware of.
  • Privacy-by-default settings: The data protection function must make sure that initial values for variables in the application, source code, consent checkboxes, radio buttons or sliders are set in a privacy friendly way by default, which may be checked by compliance checklists or by mock user interface/experience reviews.
  • Dataset reviews: Software developers and the data protection function, along with the business development units, should review the list of variables and datasets that the application intends to use together as a whole and rule out those sets that may extend over the necessary minimum, potentially breaching the principle of data minimization.
  • Profiling and automated decision making: The data protection function must carefully assess if the digital solution involves any profiling or automated decision making relative to the users (e.g., rewarding or blocking the user from options) in some way and make sure that the related data protection controls are implemented (e.g., consents are applied and managed).
  • Input validation: Depending on the level of the associated risks, the data protection function may require implementing input validation controls to ensure data accuracy (e.g., accuracy of address related data) and enforce security (e.g., against injection type attacks).
  • Data security: Data security requirements must be a strong and integral part of the data-protection-related non-functional requirements and must be aligned with the results of the data protection risk assessments. End-to-end security requirements must cover the whole system, not only the user-facing parts, and must be present when changes are being made to the system (e.g., by migrating the back-end systems to a new platform or adding new functionality to the app). Data security requirements may cover related internal processes, such as supporting data breach management processes, or security and resiliency testing procedures. It is common that the back-end is hosted at a major cloud service provider where the data protection related responsibilities are shared between the company and the CSP. Thus, the data protection function may define and set up the related procedures, as well. Non-functional testing may cover regular penetration tests of the app and the back-end systems, including testing for reverse engineering, and load or stress testing the solution to avoid availability related data breaches. Security and resiliency testing may be carried out before going live on dummy data.

In the digital world, privacy and data protection compliance requires a delicate balance of legal, IT, compliance, e-commerce, digital marketing and information security arts. It is not only the attractive design of the user interface and smooth user experience that matters but rather there are increasing concerns and reputational risks relating to the privacy-by-design aspects of new digital solutions.

Digital transformation is a complex matter generally driven by businesses seeking growth and value creation. When going digital, a business should normally start with planning, analysis of the relevant business needs, and defining the functional and non-functional requirements for the related software development. Compliance requirements are generally mirrored in these non-functional requirements. However, data protection compliance will also require businesses to actively design functional requirements in a manner that differs from what they are used to in order to satisfy strict data protection laws and regulations.

Haste makes waste, and privacy-by-design is often neglected. The reason for this is that several businesses are now finding themselves under the most difficult circumstances, namely, to find an instant solution to conduct digital business and also because the applicable privacy-by-design principles are not easy to implement in actual practice. On the other hand, the pay-off, such as consumer loyalty and approvals from the regulator, will make it all worth it, and a data protection proof digital solution will excel in value creation, for both to its users and to the businesses.

Photo by Priscilla Du Preez on Unsplash