Privacy Merits Pride of Place
A lot of the way that we approach security can be applied to privacy. [Like] the methodology of ‘Defense in Depth.’ Likewise, with privacy, I think the technology and the process that you put in place can provide the same kind of maximized opportunity for spotting issues…
From the very beginning of project inception, you [need to] think about ‘how do we raise privacy to a first-class concern? How do we get teams that are kicking off a project to think about the data that they are using, why they’re using it, and what they’re doing with it?’
PWC’s Alfonso Serdio agrees that data privacy and data security share a common security and control context and offers that privacy-by-design is becoming a [significant] concept in the market…and it goes hand in hand with security. “At the end of the day,” says Alfonso, “most privacy controls and safeguards rely on data security controls and safeguards: there’s a lot of interaction there.”
For many, privacy is not a design element, but a compliance exercise that is “a drag on the organization. It’s something you have to do, and it is slowing you down.
“In reality, because of the emerging privacy laws and regulations, having the right tools in place and the right processes in place can actually help accelerate innovation and development in your product lines,” says Chris Getner.
Chris Getner, Co-Founder & Chief Solutions Architect, WireWheel; Veteran Cybersecurity & Privacy Director, PWC, Alfonso Serdio; and Ed Peters Senior Director of Architecture, CapitalOne gathered for a panel discussion moderated by Susan Markel, VP of Engineering, WireWheel to discuss the “Top 3 Reasons IT Leaders Need to Make Privacy a Priority.” It is an insightful discussion that makes the case for 1) injecting privacy into product development and other business cycles 2) enabling cross-team collaborations with new metrics to support buy-in and recognize potential values, and 3) privacy, as a design element, is here to stay.
Privacy by Design
Mr. Serdio, who first helped PWC initiate their privacy program — and now helps PWC clients operationalize their data privacy programs — allows that “the first couple of months are going to be a heavy lift to map and to document all the current processing activities and products and services.” But it is worth the effort says Alfonso.
There’s going to be some point where you’re going to…want to try to have security and privacy embedded into every lifecycle like the software development lifecycle [to demonstrate having] privacy controls as part of creating new software, new products, or [new third-party] relationships…
At the end of the day, it is going to be embedded into everything so it’s really, really important to start thinking that privacy-by-design is a concept that will stay with us for a long time.
This is the operational substrate of privacy-by-design, and the emerging field of “data ethics.” Though it is fair to say that not everyone agrees as to the operational requirements, particularly in context of AdTech uses such as third-party tracking (aka cross-context behavioral marketing), and the requirements necessitated by the CCPA and CCPA 2.0. 
“I draw an analogy that security privacy is kind of where security was in the early 2000s,” says Chris.
“It used to be security was the thing you did at the end of deploying whatever you did. Same thing with privacy. You can get to the end and then you realized you shouldn’t have used this data. We didn’t have the right consent. And so, forcing that up the chain wherever possible, is in general, “privacy by design.” This goes beyond just product. It could be the sales cycle, it could be budget approvals, it can be across that entire spectrum.”
Cadence and Collaboration
If you’re thinking about ‘How do I inject privacy by design into my organization?’ you really want to look at what kind of design [you are contemplating]. Are you talking about the overall structure of your business and information flows…? Are you looking at individual projects…[or] inception of a new product line? The cadence at which those activities happen is going to have a big impact on your ability to inject privacy by design.
If you do it once every two years, it’s going to be a different set of concerns and a different process than if it’s an activity that you do on a regular cadence…A lot depends on the scope you’re thinking about.
Ed goes on to note that there are “all kinds of interesting ways to do that prioritization” and relates this to Alfonso’s point about the overlap between privacy and security. Interestingly, Peters sees a place for threat modeling in privacy in much the same way it is deployed in data security analysis.”
“Typically, in security you think a little bit about threat modeling,” says Ed, “and you think about who the actors are [your] most worried about – am I worried about external penetration…am I worried about bad actors internally? From a privacy perspective, you can do a little bit of that thinking as well. What are the privacy risks that I am most worried about? Is it simply a compliance activity? [Or] are there particular use cases I have internally that I’m most worried about?
Regardless of methodology, framework, and approach, all agree that an absolutely non-negotiable criteria of a privacy program if it is to be successful, is collaboration. Collaboration from The Board down, and across the business units from marketing and product development to HR, business strategy, and legal.
Value and Buy-in
The main success [factor of privacy] programs is working as a unit and having sponsorship from the board that says, ‘As a company, we are going to produce a product that is privacy compliant; that supports the privacy concept as a as an entity.’ And it doesn’t matter if its a technology company or a financial system or product.
Every single company and every single industry right now should be looking at what privacy brings to the value of their product and core offering and use that as a differentiator.
“Not all companies have focused their mission or vision statements to talk about privacy, but I think, moving forward, we’re going to start seeing that privacy and security becomes a trend in every industry,” proffers Alfonso.
“When you think about privacy and implementing privacy programs,” asks moderator Susan Markel, “how do you make sure that IT teams stay motivated on something they might consider a checkbox compliance exercise” and may not recognize, or have visibility into the downstream values?
If we get that sponsorship from the board and from upper management. there’s going to be a natural alignment… and some companies [are] attaching that to performance metrics [such as with software development and developing metrics around privacy] that can translate into value for the business because they can start speaking about 98% of our products coming out without any defect on privacy or secure data flows.
[This translates into] positive things for the developer.
There is the enlightened self-interest of career benefits notes Peters. “As a professional developer, I am leveling up the more I learn about topics like security and development, and so, if I have access to training…it’s an opportunity for me to learn and to grow my skill set.
“Likewise, with privacy. [It may be that not] enough organizations realize how much there is to know about privacy.” [Getting] the rest of the organization thinking about it as a way to level themselves up in their own profession, I think that can be a really good tool for motivating a team to really care about privacy.”
Challenges and Advice
For Ed Peters it’s about visibility. “There’s a visibility component that can be really transformational once you get into it because it really helps you understand, not just your privacy exposure, but also other issues. It is not uncommon for large companies to do audits…to find that they have massive amounts of data stored, that is unnecessary and replicated.
“Drilling into those [issues can be] low hanging fruit.”
Alfonso advises that “there is no magic formula…I guess the easiest way is to have [multiple] teams at the same table discussing [privacy] as a product, discussing that as a purpose of processing activity, rather than around the system…”
“Working with different companies on privacy,” Chris Getner finds a tendency to go straight to what they perceive to be “the worst problem from a privacy standpoint: like ‘Oh wow, our HR system has a lot of private information in it so let’s focus there. ‘But you’re a pizza shop. It’s not really your number one thing that you do.’”
He cautions that prioritization is essential. “Focus on…how data relates to that core value proposition and get started there.”
He notes that there is a mistaken tendency of equating privacy with, and only with, personally identifiable information (PII): “It becomes…a blind alley” says Chris. “Oftentimes [when IT teams get challenged] with something on privacy, they equate privacy with PII, and they immediately get into ‘I’m going to search the enterprise for PII’ when that may or may not address any of the issues they potentially have.”
“Start with what is your core business.”
Ed agrees and offers two key observations as guidance: “Privacy really is concerned with the broader set of information it’s not just PII.” And equally important, privacy isn’t just about getting rid of it.
“Privacy is about [answering the question] “are we making ethical use of the data that we have in correlation with the users consent.”
 CCPA is the California Consumer Protection Act of June 2018. The CCPA 2.0 as the California Privacy Rights Act (or CPRA) is colloquially known, goes into effect in January of 2023 but contains a one-year lookback proviso. The CPRA was ballot initiative Proposition 24 which passed in November of 2020.