HP Transforms Privacy Management with Real-Time Data Monitoring from Privado.ai

With Privado.ai’s privacy code scanning solution, HP gained real-time personal data visibility, identified previously “dark” privacy risks, automated portions of their privacy reviews, and embedded privacy checks into their engineering pipelines.

About HP

HP Inc. is a leading American multinational information technology company headquartered in Palo Alto, California. With a rich history spanning over 80 years, HP has consistently driven innovation and made significant contributions to the technology industry. The company offers a diverse portfolio of products and services, including personal computers, printers, and 3D printing solutions. HP is committed to making the world a better place through its efforts in climate action, human rights, and digital equity. By leveraging advanced analytics and artificial intelligence, HP continues to enhance its offerings and maintain its position as a technology titan. With over 100 million internet connected HP devices in the hands of users across 170 countries, HP needs privacy controls that scale with their technology and their business.

The Challenge: Scaling Privacy in a Fast-Moving Tech Landscape

With decades of leadership experience across audit, cyber, and privacy roles, Aaron Weller knows that manual privacy or security controls are not scalable or sustainable.

Leading HP’s Privacy Innovation & Assurance Center of Excellence, part of Aaron’s remit is to identify opportunities to implement automated controls that provide direct assurance that personal data is being used according to HP’s privacy notice and applicable regulations.

Manual privacy reviews cannot capture all privacy risk

HP employs a rigorous privacy review process to document data flows and assess privacy risks when significant updates are made to their software products and data flows. Despite having strict privacy standards and a rigorous review process, the privacy team did not have an automated way to validate responses in privacy review questionnaires from product stakeholders. The prior process required the creation of artifacts such as data flow diagrams to facilitate reviews and often a lot of back-and-forth to gain a complete understanding. Additionally, there was a concern that these lengthy manual privacy reviews quickly become out-of-date as many software products are updated on a very frequent basis.

“If we're using outdated information to assess privacy risk, we may think that we’re compliant, but in reality, we could have gaps in our understanding.” said Weller.

To shine the light on previously “dark” privacy risks, Aaron’s privacy engineering team needed up-to-date visibility for how personal data elements are collected, used, shared, and stored across HP’s user-facing products, backend software, and third parties.

In short, HP risked privacy violations from unknown personal data processing.

Without this level of visibility, Weller had concerns that they could not fully determine whether they were adhering to their privacy policy which could have put them at risk of an inadvertent privacy violation.

In particular, Weller wanted automated controls to identify the following specific risks:

1. Data sharing with a third party not under contract with HP
2. Sharing of data elements beyond what was specified in a third party’s contract
3. Sharing data without proper consent
4. Overcollection of data not relevant to business objectives

“We need privacy controls based on evidence. As privacy enforcement continues to increase, companies cannot rely on manual controls that don’t move at the speed of business. Privacy teams need automated and scalable controls to provide ongoing assurance, and which allow our teams to focus on the more complex and harder to automate control areas.”

To mitigate risk at scale, engineers needed enablement to code with privacy in mind.

Beyond monitoring personal data flows and privacy risks, the HP team sought to scale privacy risk mitigation by building software products that provide privacy by default. In an organization as large, complex and fast-moving as HP, it wasn’t scalable to continuously monitor risk and remediate it. HP wanted a solution that enabled engineers to code with privacy in mind and minimize personal data processing from the start. Achieving this goal would require a multi-pronged approach, including tooling, additional education, and executive support.

The Solution: Automating Privacy with Privado.ai

“Privado.ai’s evidence-based privacy solution fits with our philosophy that we need to prove the things we say we do in our privacy policies. Privado.ai provides visibility of what's really going on with personal data across our tech stack, as well as automates some of our more manual process controls, such as elements of privacy reviews.”

HP decided to validate Privado.ai’s value by first using their privacy code scanning solution to identify data flows and the specific data elements that they contain and identify privacy risk across a subset of their code repositories, focusing on the code for user account management across their website and apps.

Privado.ai discovers personal data flows by scanning code

By integrating with HP’s Continuous Integration and Continuous Delivery (CI/CD) pipeline management tooling, Privado.ai was able to build a full inventory of all personal data and third parties for the initial applications selected by HP for their proof of concept.

Within days, the HP team could look at each personal data element processed in HP’s data taxonomy. Additionally, they could see how each data element flowed from its collection point to third parties and internal storage destinations.

HP engineers were able to quickly validate the findings because Privado.ai links each instance of data processing to the exact line(s) of code responsible.

Risk discovery workflows identify drift from HP’s privacy policies

Aaron’s team selected from Privado.ai’s pre-built risk discovery workflows and built some of their own based on two of HP’s privacy policies and the risks the team wanted to prioritize. For example, if any data elements that HP classifies as sensitive were shared with third parties, Privado.ai would create a risk for each instance and link it to the exact code causing the risk.

Additionally, HP integrated privacy code scans into their overall code quality assurance process to provide continuous visibility and governance. Each time a pipeline is executed, a code scan will be triggered that updates data maps in Privado.ai, alerts the relevant engineering team of any new personal data elements or third parties, and creates risks according to their risk discovery workflows.

Engineers receive privacy guidance as they code

When new build pipelines are run, privacy code scans are triggered, and both the privacy team and engineers can be notified of privacy risks identified by Privado.ai.

Via Privado.ai’s integration with HP’s CI/CD solutions, engineers can be notified when they submit code containing a privacy risk. The risk alert specifies which code is violating which privacy requirement, so that the engineer can resolve the issue without anyone else getting involved.

The Impact: Enhanced Visibility, Reduced Risk, and Empowered Engineers

“Privado.ai gave us a new understanding of personal data flows internal and external to HP.” - Carl Mathis, Privacy Architect at HP

Leveraging the outputs provided by Privado.ai, the privacy team’s engineering stakeholders were able to easily validate the data maps produced from scanning the initial set of applications. The resulting data maps also identified new personal data elements not previously surfaced from past privacy reviews as differences are identified between multiple scans over time.

“The data visibility produced by Privado.ai provides several benefits for privacy teams. Not only does Privado.ai ensure that we have a complete and up-to-date view of our code-related risk profile, but Privado.ai also provides the evidence we need to engineer remediation plans.” - Aaron Weller, Privacy Innovation & Assurance Leader at HP

Time saved from manual privacy reviews

With Privado.ai’s capabilities to auto-populate privacy reviews with how personal data is collected, used, shared, and stored, HP expects to save amounts of time on privacy reviews, both for the reviewers and the teams being reviewed.

Privacy by default practices embedded into coding process

“By integrating Privado.ai’s privacy checks in our developer tools, engineers have become more critical about the personal data processed in their code and have started to apply more privacy by default principles. Since implementing Privado.ai, engineers have even begun asking our privacy team how they can further reduce privacy risk.” - Carl Mathis, Privacy Architect at HP

What’s Next for HP and Privado.ai

In just a few months, HP has dramatically increased personal data visibility and started addressing newly surfaced privacy risks.

Having piloted privacy code scanning on a subset of HP’s applications, Aaron’s team plans to roll out privacy code scanning across all HP internally developed applications over the next few months.

Additionally, HP has started to pilot Privado.ai’s Web Auditor and App Auditor to scan their websites and mobile apps for privacy risks. By simulating user behavior for each consent action, Privado.ai can identify data flows or third parties that do not properly honor consent according to privacy requirements in each location.

Shifting to evidence-based controls that scale, HP is no longer constrained by manual processes. They can now proactively get ahead of privacy risks as soon as code is written, instead of waiting to be engaged when teams are trying to launch.