Resilient Privacy

Rebecca // August 23 // 0 Comments

Wouldn’t it be nice if your data protection program was resilient to changing privacy requirements? Imagine if you could exceed today’s regulatory compliance requirements and prepare for the changing landscape of tomorrow.   

I suggest three options to enable your privacy program to be proactive (instead of reactive) to new regulations.  Additionally, these will make your data protection program resilient to changing culture and other issues that create privacy atrophy.   Furthermore, these data protection investments are particularly cost-effective.

Practical Steps to a Privacy Program that is resilient to Privacy Atrophy

Here are three ways to invest in privacy that will reap long-term benefits. 

    • Define and track metrics about the data you store.  What data is user data?  Is it overshared, and how do you define overshared?   Who accesses user data?  Then build reports or alerts on this data, so someone in your company knows if things go sideways. One big initial cost with this option is agreeing on what to measure, as company leadership from legal, marketing, and engineering should be engaged in the conversation.  I’ve seen the value of having metrics to proactively manage data protection.

    • Train your software engineers and security engineers about privacy.  I’ve done multiple interviews with developers on privacy, and they almost universally care about privacy but many lack concrete ideas on how to integrate it into their work.  Training has a relatively low initial cost to the company.  The payback depends on retention and the culture of your company.

    • Use Privacy Enhancing Technologies such as anonymization or distributed trust where appropriate.  Don’t write these PETs yourself, just like you don’t write your encryption from scratch. Open-source or commercial providers of PETs can track the threats and changing landscape of privacy attacks and update their tools.  The initial cost to purchase integrated PETs may be higher, as with outsourcing anything, but the reliability and efficiency over time may make it worthwhile.

Each of these options independently will yield improvements in your privacy program.  Tracking metrics and training your engineers are particularly cost-effective.  Despite the up-front costs, they can potentially reap long-term benefits.  Put them all together for a resilient privacy program.

 Where to learn more:

Measuring Return on Investment for Employee Training 

There is no easy number for ROI  on employee training, as it depends on the quality of the training and whether it changes behavior in a way the company values.  Here

Measuring Return on Investment for Privacy

Again, there is no magic bullet for measuring the ROI of privacy programs, but this collaborative LinkedIn article is a useful start. Here

Privacy Metrics:

The Future of Privacy Forum has compiled a list of privacy metrics in use.  Many metrics listed here lean towards measuring compliance and whether operational steps have been completed.  Here

Privacy Enhancing Technologies:

There is no standard list of what counts as a PET, but this article is a nice introduction for engineers.  Here

Why resilient privacy is needed: 

Privacy Atrophy

Leaning Tower of Privacy

About the Author Rebecca

Dr. Rebecca Balebako builds data protection and trust into software products. As a certified privacy professional (CIPP/E, CIPT, Fellow of Information Privacy) ex-Googler, and ex-RANDite, she has helped multiple organizations improve their responsible AI and ML programs.

Our Vision

 We help companies build data protection that their users love.

Privacy by Default

respect

Quality Process

HEALTH

Inclusion

>