Whether you’re a privacy professional or a software engineer, you likely have many stories about the opportunities, challenges and spirited debates within your organization, particularly in the recent run-up to EU General Data Protection Regulation. Privacy and engineering teams ultimately share a common goal: to create great customer and user experiences. Getting there, however, can feel like the other team comes from a different planet. To engineers, privacy principles advanced by privacy professionals may appear to come from Venus, while to privacy pros, engineering rules may appear to come from Mars.
In today’s GDPR and privacy-inspired world, these teams and their planets must find orbital alignment.
Venus versus Mars
Typically, privacy professionals (including those of us who have been to law school) advocate for — and even prefer — flexible guiding principles rather than strict rules, particularly in an era of innovation, disruption, and rapidly evolving technologies. On Venus, the atmosphere is denser, which makes things a little less clear. For privacy pros, context matters, one size does not fit all, and we navigate with a risk-based approach. Our world is rarely black and white, and we have learned to become comfortable with these broad-brushed guiding "principles."
Meanwhile, most engineers have historically lived on a planet with high visibility where they have learned to expect clear-cut, stable, well-defined, unambiguous requirements and rules. By way of comparison to the cybersecurity space, à la Mars, the security engineering community has well-established, standards-setting organizations (such as ISO, CIS, PCI and NIST) and arguably clearer, more mature requirements that are typically preferred by engineers. There seems to be a longing to address emerging privacy issues in this more familiar way, which is not always possible on Venus. More often than not, aligning privacy principles with highly personalized user experiences is a tough assignment for privacy pros and engineers alike, often causing much debate and even tension when attempting to define clear privacy rules.
The key challenges
Reflections on the run-up to the GDPR remind us that the journey for all stakeholders hasn’t always been easy. But then again, it’s all about the journey, and looking back, it has been remarkable. Here are some of the consistent challenges both planets face as we learn how to better collaborate to define the privacy and engineering requirements that address the following high-level privacy principles.
Data minimization and purpose limitation versus big data
Privacy principle: Under most privacy laws, companies are only permitted to collect personal data necessary for a specified purpose. A simple example is that you don’t need to collect a physical address for an email newsletter. As a foundational point, defining personal data and changing organizational thinking around it is no small task, particularly given the rapid pace of technological advancements whereby identification is becoming easier with fewer data points and the dynamic nature of personal data.
Engineering rule: On the other hand, engineers are used to designing systems to meet the business objectives for big data, the internet of things, and planning ahead for an artificial intelligence–driven world. These systems are designed to maximize data collection that could be used for future analysis and application. A related subject of current debate is also that in the name of data minimization, less data can lead to algorithmic bias.
Right to explanation versus “the black box”
Privacy principle: The controversial “right to explanation” in connection with automated decision-making and the requirements for transparency are vague.
Engineering rule: A right to explanation may conflict with the “black box” behind complex systems automating decision-making based on AI and machine learning. Moreover, explaining technical algorithms in an easy-to-understand way so consumers can make informed choices (e.g., transparency) is complicated.
Right to be forgotten versus data deletion
Privacy principle: Consumers have a broad “right to be forgotten.”
Engineering rule: Historically, engineers have built systems to retain data forever in an effort to support the types of long-term business objectives described above. The challenge for engineers and privacy pros alike is the basic tasks of defining “deletion,” because, among other things, deleting data is contextually relevant and system dependent. Moreover, there’s even misalignment among the Mars inhabitants as to how deletion can be achieved in certain systems, making it tricky to adhere and adapt to this privacy principle.
Data portability versus protecting the secret sauce
Privacy principle: Data portability rights enable consumers to not only obtain a copy of their data but also direct a company to send their data from one company to another.
Engineering rule: Writing engineering rules in this space poses significant challenges, including agreed-upon industry formats for data sharing between companies that meet the structured, commonly used, and machine-readable requirements, authentication and security of data transfers, and protection of the privacy of others whose data may be contained in the requested data, as well as any proprietary information.
What is increasingly clear is that the best way to align these two planets is through an understanding of each other’s worlds and needs and meeting somewhere in the middle of principles and rules — which ironically lands us on planet Earth.
So how can we work better together? We can all start by embracing this amazing opportunity for collaboration. After all, it’s privacy’s time. Here are some ideas and developments that are worth watching.
Develop requirements in close partnership
Privacy professionals and engineers must spend a little time on each other’s planets and work together to translate privacy principles and emerging guidance into engineering requirements. For some privacy pros, this may mean increasing their technical knowledge and understanding of engineering processes and operations (tools, road maps, prioritizations). Engineers may need to become even better versed in privacy principles and the vagaries that come with them, gaining acceptance of the fact that principles are dependent on context and subject to interpretation (and reinterpretation), unpredictably causing requirements to change or be subject to a particular system (as upsetting and inefficient as it may be). As a practice point, there may be functions within an organization that have traditionally taken on the role of translating business or other needs or pain points into engineering requirements that can be properly understood and implemented (e.g., product managers, architects, program managers).
Evangelize your privacy culture and extend your reach
Among the things we did at Adobe to elevate our privacy culture in the engineering community was to conduct privacy-readiness sessions and design workshops in key engineering forums. We also looked for ways to engage and "gamify" privacy awareness and education campaigns. Among them, we launched a "Privacy Drive for Five" highlighting the top five things everyone could do for GDPR readiness. We also created a Privacy Insider newsletter (opt-in for those employees in Europe, where needed, of course) and launched a GDPR change agent network. To scale the business, we created playbooks, FAQs, and held regular privacy office hours for the different teams on different topics to make sure we could answer all of the questions in a consistent and scalable format.
At Adobe, internally, it is a close partnership with our CIO, CSO, and business and development teams that helps to help drive change. Externally, we encourage participation in forums such as the IAPP’s Privacy Engineering Section to enable the sharing of ideas, standards and best practices. We recommend following privacy professionals on social media to understand the big issues in the legal headlines.
Follow emerging technical standards
Follow, participate in, or at least get smart on and potentially help your company understand and adopt emerging privacy technical standards. Among just a few areas to watch:
- Consent frameworks: An important area to the ad tech ecosystem is the work of the Technical Working Group of the IAB Europe on the Transparency and Consent Framework.
- ISO privacy standards: The U.S. is forming a Technical Advisory Group under ANSI to influence ISO/PC 317, the new "Consumer Protection: Privacy by Design" standard. There is also ISO/IEC 19941:2017, which covers cloud computing interoperability and portability.
- The Data Transfer Project/data portability: Google, Facebook, Microsoft and Twitter recently formally launched the Data Transfer Project, which is a common framework with open-source code that can connect any two online service providers, enabling a seamless, direct transfer of data.
- AI: Follow the developments of the European AI Alliance and the Partnership on AI.
Design with privacy in mind
Legally speaking, we all have to do it anyway, but more importantly, a privacy-by-design approach helps ensure that we all have a sustainable culture of privacy, creating accountability, and helping embed privacy in meaningful roles within your engineering infrastructure. As an example, conducting privacy impact assessments at early stages in your product or software life cycle with final checkpoints before release is a great way for the spirited dialogue to take place. Engineering may be able to leverage the existing secure development life cycle within its organizations to build out specific privacy-by-design touchpoints and programs.
Embrace agility in a changing, global privacy landscape
Although companies have been heavily focused on GDPR for quite some time, the world continues to turn. California has recently passed a landmark privacy law and requirements in the Asia-Pacific, India and Latin America are evolving. Areas to watch include a new privacy law in Brazil, Australia’s new consumer data right to data portability, and developments on data localization and cross-border data transfers.
When Venus and Mars are aligned, the possibilities are very exciting and privacy can be a positive part of the customer experience. At Adobe, we call this "experiential privacy."
If you want to comment on this post, you need to login.