Data privacy and storing only what you need
By Alex Norman —
Privacy is a 🌶️ HOT 🌶️ topic these days due to the relentless torrent of data breaches happening globally. While privacy and security are two different things, they often overlap and definitely collide when personal data is leaked due to a vulnerability or misconfiguration. We’re going to focus on some simple data privacy principles and why minimizing the amount of data you collect could be one of the best privacy strategies.
| What | Start | Next |
|---|---|---|
| Data privacy | Private by design | GDPR |
| Data minimization | Data map | Automate data mapping and discovery |
Private by Design is a process for embedding good privacy practices into the product design with technology, business processes, and technical infrastructure. This means being aware of privacy in your product lifecycle and building appropriate security measures to prevent data leaks and breaches throughout all areas of the business.
A great write-up can be found on the Information and Privacy Commissioner of Ontario Canada’s website.
- Proactive not reactive - anticipate poor privacy practices before they become problems
- Privacy as the default setting - if an individual does nothing, their privacy remains intact
- Privacy embedded into design - privacy becomes an essential component and isn’t bolted on after the fact
- Full functionality - use modern and creative approaches to legitimate interests and privacy at the same time
- End-to-end security - protect the data through its entire lifecycle
- Visibility and transparency - trust, but verify
- Respect for user privacy - keep the interests of the individual top of mind
These seven principles seem like a reasonable list of things to consider when building a new product feature. And with privacy being in the news a lot these days, building in proactive privacy processes and sharing what you do with those processes with your customers may end up being good marketing.
Basics to get started?
Reference those 7 privacy principles when brainstorming new features or major changes. This all comes down to how you manage change, whether that’s through project plans, one-pagers, AGILE, or whatever. It’s always easier to plan in requirements at the design stages rather than bolt on after going live. It’s no different with privacy.
What’s next?
Refer to your country’s information commissioner for your local privacy requirements. But let’s be practical. The GDPR is the de facto standard that everyone is trying to match. Use the GDPR as a benchmark for building positive privacy practices into your business and product. A useful resource to get started is the GDPR-Info website where they discuss the GDPR Key Issues that affect most companies and include topics like consent, email marketing, and privacy impact assessments.
What does Kinde do?
One of the six product principles here at Kinde is “Private by design”. Discussions about new features and changes don’t just include how to secure our customer data, but also on how to maintain the privacy of personal data we store on behalf of our customers. We used the GDPR Key Issues list to self-audit existing practices. And to round it out, we engaged with a UK-based privacy-focused law firm called Ethiqs Legal to help us draft a privacy notice and provide guidance on where to go next.
One key consideration with privacy is the amount of data that companies are collecting on their customers and users. By collecting as much as possible, you’re giving yourself a chance to find a way to productize that data. However, lots of that data is collected without actually knowing why it was collected and for how long to keep it.
A recent data breach with the Australian telco Optus brought up more conversations asking why many companies are hoarding so much personal data for effectively forever on both current and former customers. Local regulations may require a company to maintain certain information on its customers and users, but these need to be understood to ensure that you’re only capturing and keeping what’s needed.
In the same spirit as an earlier article about minimizing your attack surface, taking steps to minimize the amount of personal data will make it easier to track and protect.
Basics to get started?
Start by taking an inventory of all the personal data you’re collecting. Since Kinde has business entities in Australia and the UK, we’ll reference the personal and sensitive data definitions from the UK ICO and the Australian OAIC.
Chat with your product experts about the expected data being collected, run through a customer sign-up with a test user, or work with engineering to map out database fields. There are lots of places internally that will quickly give you an idea of where the data is being stored and used.
Something as simple as a spreadsheet or internal wiki page is a great start to capture things like:
- Personal and sensitive data - Name, email, postal address, phone number, health information, financial details, etc
- Where it came from - Did you collect it from a form field, part of a signup process, sent from a third party, etc
- Where it’s being stored - Production database, a spreadsheet, customer management tool, etc
- Why you’re storing it - Do you need it for legal reasons, to facilitate a service you’re selling, part of your product, etc
- What security measures are used - Encrypting the database at rest, strict access controls, no direct public internet access, etc
- Who are you sharing it with - Is the personal data being shared with other partners, suppliers, or agencies
- Retention - How long do you need to keep it for
This will help build out what’s known as a report on processing activities or a ROPA.
What’s next?
With anything in technology that’s rapidly changing, there are a lot of new companies out there that specialize in finding data in your environment and categorizing it. At last check, there were 98 vendors listed on G2 for the Data Privacy Management Software category! The key benefit here is that these tools are designed to find data that has been long forgotten, highlight processes that are capturing a lot more data than anyone realized, and then inventory it all for your review.
What does Kinde do?
We conducted interviews with department leads to figure out what business activities they managed that would collect personal data, such as marketing calls to action, customer support interactions, or product registrations. The interviews had a wide scope and covered not only users’ personal data, but also employees and customers with activities like payroll and invoicing. This all fed into a massive Notion database page called the Privacy data map with the final output being our own version of a ROPA.