When some people talk about “privacy by design,” they mean inviting someone with the word “privacy” in their title to sit in on a product meeting.
But building privacy into a system’s design, operation and management should start way earlier than that.
Otherwise, businesses are cruising for a regulatory bruising.
“Unless companies can get deep into the code, they’re going to miss a lot of what’s happening with data inside of their organization,” said Peter Swire, a law professor and former White House privacy official under presidents Clinton and Obama who is now advising small, early-stage privacy tech startup Privya.
Better safe than you know what
Privya, which came out of stealth mode in August with $6 million in seed funding, has an AI-powered scanner that analyzes a company’s software source code before it goes into production to check for data protection issues.
The scanner automatically maps the flow of personal data and identifies where it’s being collected, how it’s used and where and how it’s being stored, including whether third parties have access to it.
“If you don’t mitigate your risks from the get-go and you wait until everything is in production, that’s not privacy by design,” said Uzy Hadad, Privya’s founder. “At that point, a company is already exposed.”
But companies can also use the technology to scan existing legacy code and look for vulnerabilities.
When Privya’s scanner comes across a problem, it automatically creates a ticket that gets flagged to the client’s engineering team through integrations with project management solutions, including Jira and Azure DevOps.
Less technical people, like board members or data protection officers, can run more high-level reports and look at dashboards that summarize Privya’s findings.
Putting the ‘AI’ in privacy
Automation is the lynchpin of Privya’s process.
Without it, compliance gets very complicated very quickly, said Swire, who noted that compliance is about more than adhering to regulations.
As a result, platforms (hey, Apple) are making privacy-related changes that have an immediate and profound impact on how companies operate.
“As requirements change, companies will need to figure out which of their existing activities they can continue or not,” Swire said. “And if you have a deep understanding of your code base, then you’re in a better position to do that.”
It’s also a good rule of thumb – and a requirement under certain privacy regulations, including GDPR in Europe – for companies to document the personal data they process and maintain a record of processing that activity.
But doing that manually introduces the potential for human error and makes it more difficult to quickly demonstrate compliance if a regulator does come knocking.
“There’s a lot of risk to staying at a custom level,” Swire said.
Swire’s POV
And Swire knows of what he speaks. His privacy bona fides are well established.
In addition to his past work with the White House, he’s also a professor of law and ethics at Georgia Tech, a senior fellow at The Future of Privacy Forum, a research director at the Cross-Border Data Forum and senior counsel on Alston & Bird’s privacy, cyber and data strategy team.
(And Swire was one of the foot soldiers who toiled in the trenches of the ill-fated Do Not Track initiative as co-chair of the W3C’s Tracking Protection Working Group between 2012 and 2013.)
Although the privacy tech space is booming – the International Association of Privacy Professionals clocked a 777% increase since 2017 in the number of new privacy tech vendors – Privya is the only privacy tech startup that Swire advises.
He was attracted to the company because “it personifies what we call the ‘shift left’ phenomenon in privacy,” Swire said, which is about being proactive and avoiding problems before they occur.
Because there’s no avoiding scrutiny from politicians or platforms.
President Joe Biden specifically addressed data privacy during his State of the Union address in February, Apple isn’t backing down on AppTrackingTransparency, browsers are getting more aggressive about blocking cookies and by the time 2023 draws to a close there will be five different state privacy laws in effect across the US.
Although chief privacy officers and attorneys can help guide a company’s approach to privacy compliance, privacy management is increasingly becoming an engineering issue.
“Lawyers can’t handle the complexity of data flows by themselves,” Swire said. “It’s going to take software and engineering to provide any assurance that privacy is being built into execution.”