Privacy tests help you protect people. If you have data about people, you are responsible for reducing potential harm to them. The most important reason to run a privacy test is to help keep people safe. It’s easy to get lost in the details of privacy compliance and legal wording when building a privacy program. Privacy tests identify and fix vulnerabilities so that the people who have entrusted you with their data are protected.
There are many types of privacy tests. Let’s discuss a few that provide increased protection.
Compliance checklists can include surveying an organization’s managers about their procedures and checking off compliant practices. These types of checklists offer an additional benefit; when done well they can communicate to various organizations that privacy compliance is important across the company.
User Experience testing for privacy can specifically test that users notice or understand privacy settings or communications. User research can also check that features match people’s preferences around their data protection and guard against deceptive design patterns.
Privacy monitoring tests are tests against the system or infrastructure that continually measure whether the data is sufficiently protected. One potential metric to monitor is how many employees have access to sensitive user data. Another metric could be how much data remains within the retention period. This ongoing monitoring can trigger an alert when metrics don’t meet the company standards, and allow teams to fix the problem before it turns into a leak or compliance violation.
Adversarial privacy testing puts a spotlight on vulnerabilities from an attacker's perspective: These vulnerabilities are often overlooked by the separate legal, security, and development teams who implemented the protections. An adversarial privacy test can also add an element of reality to the vulnerability by showing what is possible, and at the same time making sure that no one experiences privacy harm.
Overall, privacy testing allows organizations to check compliance with privacy regulations and to monitor for risk. Each has its place in a company; legal compliance can be audited through checklists, user experience can provide a nuanced understanding of privacy expectations, and regression tests can monitor the data infrastructure. Adversarial privacy can find real risks from motivated attackers.