Mind the Gap
by Ian Oliver, Distinguished Member of Technical Staff, Bell Labs
Finally, a solution to the biggest problem in privacy management!
In London, whenever you take the tube (the subway) you’ll notice a somewhat ominous recorded voice telling you to “mind the gap;” in other words to stay clear of the space between the platform and the train. Otherwise, ouch.
I thought of this the other day when someone asked me what I thought was most challenging for organizations when trying to build (or rebuild) a privacy program. I’m referring to the gap – Ok, let’s call it a chasm – between privacy legal and compliance experts who create policies and procedures, and the architects and engineers who must implement them within products, data management protocols and other activities that are core to doing business today.
To anyone who has worked on either end of a privacy team, the disconnect between those who create the policies and the engineers who must operationalize them is well-known, albeit not often openly discussed. Instead, endless meetings, email threads, and PowerPoint decks go back and forth, in a well-intended, but often futile attempt for these two very different sets of experts to get on the same page. This gap is much more than frustrating and inefficient – it can be costly and even dangerous when it involves protecting the private information of individuals. The damage goes beyond penalties. The business impact (often overlooked in media coverage), is significant. Months or years spent designing and launching products and data mining strategies that are then found to violate privacy regulations are sunk costs that could be avoided – if privacy is designed into products from the outset. And that means lawyers and developers need to communicate.
It’s not like these teams don’t want to talk to or understand each other. They just don’t know how. They speak different languages, and they are focused on different objectives - yet each is held responsible for the successful implementation of a sound privacy strategy that follows the law and will protect a company’s brand.
An old model for a new world
Historically, privacy programs were set up from a legal perspective; understand the regulations, write a policy, hand it off to others to implement and done.
This still-entrenched process was designed for a world that no longer exists. Today, personal data is the currency that drives revenue for most businesses. Understanding how this data is used and protected – and how systems are built to do so effectively – is essential for privacy and legal experts. The days of “we have our privacy policy, so we’re compliant,” are over.
As well they should be. Imagine if an architect only just designed a building, without understanding the engineering required to make that building safe. Rather, an architect designs with structure in mind, visits the building site, collaborates closely with the construction team, and ensures their original vision is implemented in a way that follows all the required regulations. When was the last time you saw a privacy lawyer sitting down with a programmer to understand the technical implementation of a policy? Thankfully, that’s starting to change.
Recently, I was pleased (and admittedly surprised) to see this excerpt from a privacy panel at the RSA Conference 2022. Chief Privacy Officers from some of the giants of tech, including Apple and Google, participated in a keynote panel. This excerpt from coverage of the event perfectly articulates where I believe we are today:
The role of engineers in actualizing the governance of privacy policies and procedures was also addressed in the session. Apple’s Horvath said that deep technical knowledge is critical to privacy, such as understanding databases. “The best friend a privacy person has in a company are security and privacy engineers,” she stated.
Enright concurred, commenting that:
“the privacy engineering function at Google is perhaps the most fundamental when I think about our product strategy. The way things are evolving is about more than meeting the requirements of changing laws.”
-James Coker, Infosecurity Magazine, “RSAC: The Growing Relevance and Challenges of Privacy”
In my mind, this demonstrates an awareness at the highest levels of some organizations that connecting the two ends of the privacy spectrum to manage the tsunami of data that is their bread and butter is imperative. So how exactly, can they do that? Where is the structure and tool that can get them there?
The bridge that closes the gap
Let’s be clear: lawyers are not about to become engineers, and vice-versa. However, each discipline can – and must – be able to see the bigger picture of what they are creating together and be able to collaborate throughout the process. To date, there has not been a practical and accessible way for them to do this.
The solution, in my mind, has always been a tool that is accessible for everyone involved in the process of planning and operationalizing a privacy program efficiently and without ambiguity. I believe Privacy Code and their SaaS platform does that-and in some pretty amazing ways. (Full disclosure: I am an Advisor to Privacy Code and honored to be one.)
There are many things to like about the Privacy Code platform and if you’d like to see how it works firsthand, contact the team. But at a very high level, I like the fact that it gives me a structure in which to operate. It lets me see – as an engineering/technical person – exactly what I need to do, and most importantly, why I am doing it. And it lets everyone move between looking at the project on a developer level and business level. This is so critical. As I said, these two domains see and think differently. But if you can give them a lens, as Privacy Code does, to see the same project through their specific needs, you save an enormous amount of time. And time, as we all know, is money.
There’s another reason that I think Privacy Code is the kind of solution the privacy world has been waiting for: this platform was built by two impressive entrepreneurs who know privacy. They’ve lived it, worked it, and one wrote the definitive book about it. They built something based on their own experiences as corporate executives and product leaders trying to bridge the gap between privacy teams and developers. Which is why it works.
Risk vs. Compliance: The Future of Privacy
I’ll sign off with a note about where I think we’re headed. Privacy regulation, laws and penalties are only going to increase. The use of consumer data for business is going to get more complex. So privacy teams within organizations need to quickly shift their mindset from one of “being compliant” to “managing risk.” This may sound subtle, but it’s actually a profound evolution from where privacy programs have historically been.
The risks and consequences that come with being entrusted with people’s personal data have never been greater, so making sure you have the right teams and the right tools to do so is critical. Once you do, the stress of having to “mind the gap” recedes and you can move forward with confidence.
Dr. Ian Oliver is a Distinguished Member of Technical Staff at Bell Labs working on Trusted and High-integrity Cyber Security applied to 5G and 6G mobile technologies, NFV, Edge and IoT devices with particular emphasis on the safety-critical domains, such as future railway, medical devices and medical systems.
He is the author of the book "Privacy Engineering: A data flow and ontological approach" and hold over 200 patents and academics papers.