Privacy by Design is an approach to data protection that everyone should apply in their next digital project. When you build a brand or an online product, it is critical that you gain the trust of your customers. It's the only way to be successful. This can be achieved by ensuring transparency and giving control to your users and implementing Privacy by Design.
On top of the global company policies required by international standards to meet certain compliance criteria, Privacy by Design specifies 7 principles. We won't go into all of them in detail today, but I just wanted to highlight the main two:
- Privacy should be the default setting
- Privacy should cover the end-to-end life cycle protection of the user data.
Let's get to it.
To get started, it's always best to implement privacy by design from the beginning of a new project. But we're meeting more and more clients where a full revamp is not an option, as they have already invested so much in their current solution.
Privacy by Design audit
The next best thing is that we can still audit their current application and their software development lifecycle process, and start recommending different improvements at various stages.
User Experience
We'll usually start at the UX stage with the planning and designing of forms for example, where we need to query every data point that is being captured and ensure it is absolutely required. You also need to plan additional user journeys for your customers to be able to edit and even delete their data, as it's their right.
Copywriting
Next is copywriting, which is also so key to this concept of transparency, because you need to explain in a very simple language, in plain English to the user, why you are collecting the data and how you will use it. It is really critical for trust.
Technical Implementation
Then onto the technical implementation stage. This is where you need to follow a very secure development process, have policies, and checks and balances for the code quality, following best practices on form validation and sanitizing, the inputs... All of that is a given for most developers. To push that even further on a higher level, you need to think about the access policies, to control who can see what data.
It gets really tricky and can be very complicated when you integrate with third-party systems. The data gets transferred or sync'd with API through CRM or no-code or low-code tools... It can get a bit muddy, and you really need to be in control at all the time and ensure that the data is secured wherever it is replicated or transferred to.
Quality Assurance
Next is the quality assurance stage with the testing and security, where you're trying to break the web application and run penetration testing that could highlight vulnerabilities - where the data could potentially be exposed. That's a high risk to mitigate.
Hosting & DevOps
Finally, throughout the whole process with the hosting architecture, with the DevOps team, planning where the data is being deployed and where it's being backed up, or how frameworks are patched and the retention policy, how the data gets archived and deleted... There are so many things to think about.
Sensitive Data
Remember there would be extra policies and processes to put in place if you start dealing with sensitive data: anything related to healthcare or storing political or religious information about your users, or if you start dealing with children's data. It's becoming really strict.
So that's it for today as a quick intro, I hope you found this useful.
If you're considering implementing privacy by design or need help to improve your processes around data privacy and security, just get in touch. Don't forget to subscribe to my YouTube channel and follow me on Twitter to keep learning with me and grow your career in digital.
Until next time, stay safe and see you soon.
