Basics of Incorporating Privacy By Design into an AppSec Program

A question came up recently about how to begin to incorporate Privacy By Design concepts into an Application Security program. Here are some ideas:

1. If you are not familiar with the original Privacy By Design principles written by Ann Cavoukian, the former Information and Privacy Commissioner of Ontario, take a look and use them as the basis for your definition of Privacy by Design.
2. Identify someone with responsibility for privacy and get them added to the product management process (and if you don't already have doing this from a security perspective, add them too!). Add privacy requirements as features/stories to the backlog and have them get prioritised and slotted alongside standard features and security stories.
3. Work with the product management and engineering leads to hold 3-5% of each sprint to be dedicated to security and another 1-3% for privacy tasks that need to be addressed in a timely manner. If not needed, those earmarks can be given back on a sprint-by-spring basis and allocated to other features, but only if no security or privacy work is backlogged. Also, try to have 1 out of every x sprints be dedicated to security and privacy, and have them scattered throughout the year for the bigger ticket privacy (and security) tasks and projects.
4. It's very important to work with the overarching business areas to understand how they want to use the data, both at a broad and detailed level, and do so before it is collected. Use this to set the company's data use ethos early, write it down hold people accountable to align to it.
5. Set up a review board that can be used to have business, legal, security/privacy and marketing (and any other parties you think have a material part in the collection and/or use of data) to discuss and weigh the current and new uses of data and approve and document accordingly. This board should be lightweight to keep data moving, and should involve business leaders at a sufficiently high enough level that they both understand the benefits and can accept the related risks of using data vs. customer sentiment, breach or regulatory violation.
6. Be transparent with users about what you are doing with data. Use simple statements that everyone can understand, and keep legalese out of it. Also use the same transparency with internal colleagues, especially developers and product managers. Ensure that they (and you) always talk the talk, and walk the talk on data use and privacy.
7. Always do what’s good for the user first, and that will translate into outcomes that are good for the company. Trust and confidence come from being upfront and focusing on the user first. This mindset also lets you bring security and privacy into the product as a feature or a tentpole, and stop them from just being seen as a cost center.Privacy is growing with customers, suppliers, huge with users, take that momentum and run with it.  For further information on ways to build privacy into your operational application development program, contact us!