Kiran Sharma on Shifting Privacy Left

What is your role and how does it relate to ensuring data privacy?

I'm currently working as a senior privacy program manager at snap finance LLC. I was hired to establish the privacy program from the ground up because Snap finance is based in three different regions, the US, the UK, and Costa Rica. And we were trying to establish the program in 2021. And all we had was a privacy policy. So we just had to bring up the entire structure to the program and make sure that the program was established and ran smoothly from there on. 

Tell us about your approach to building privacy programs

To build an effective privacy program, you must first understand what's driving the requirement. Is it the business requirement, is it the regulatory requirement, so identifying the privacy drivers would be the first step to building a program? And once you identify the driver, it could be a regulatory requirement, like new privacy laws are coming or we have a privacy policy. And we need to make sure that we adhere to it. And based on that, you can build a privacy strategy, which would help you to understand the scope of the business regions, regulations, security requirements and as such. And then once you have the strategy, the next step would be to go ahead and get the executive buying. 

‍

For any program to be successful. You need people process and technology. So you need the executive buying to make sure that you have the budget allocated, the resources are in line, everybody understands that it's a requirement that we need to adhere to. And once you have the executive buy-in based on the strategy you have built, the next step is to conduct the privacy impact assessment, understand what's already in place, what you need to do, and how do you need to approach in enhancing what you already have. So conducting a quick gap analysis or a risk assessment and privacy impact assessment will give you an idea of what you need to do. And once you have the results from the assessment, next step is to meet with key stakeholders, and present the risks. Because it's a marathon, right, so you cannot implement the program overnight. So what you need to understand is to identify the top three risks, present them to the key stakeholders and get their buy-in, establish the goals and implementation plans, and then take it from there.

How do you measure and prioritize data privacy risks?

The first thing is, when you conduct a privacy impact assessment, you need to understand the business impact as well. Right. So the first thing is you need to understand what does it mean to make those changes for privacy? And how does it impact your day-to-day business? As well as how does it impact the other regulations that the particular business has to be involved for? So understanding and aligning closely with business risks, such as policy and contract obligations, would definitely help to identify the top three risks, and based on that you can move forward by conducting or, you know, implementing the identified risks and make sure that you mitigate those.

What’s one thing that has surprised you in your data privacy work? 

Privacy is not a new concept, right? So it's been there. Since the Roman Empire, I would say like, first time when there were windows and curtains were invented. So privacy is not a new concept. But implementing privacy in a current-day organization. surprises a lot because everybody understands that, hey, we need to deal with data appropriately. But getting confused with security versus privacy is the biggest surprise that I have ever seen so far. I mean, yeah, I'm encrypting the data and protecting the data, fine, but why are you even using that data? is the biggest question that arises every time I converse with teams. So I mean, just to kind of reiterate right, so as Richard Serra said, if something is free, you are the product. And that's where privacy takes over from data aspects and ensuring that we respect the data the way we want to respect our data.

What are some challenges you have faced and how have you overcome them?

It's always good to make sure that we explain the differences between security and privacy to the team security is more on protection and privacy is on data usage. So it put it putting it in simple terms, privacy is use, and security is protection, right? So that's, that's how you start the conversation. And then basically, from there on, you deviate into: great, we are collecting this data, we are protecting fine, what are we using it for? How are we using it? Where are we using it? And should we really need the Stata? So projecting these questions will definitely put that difference in everybody's mind because that's when people will start thinking, Hey, why are we even collecting this state? Do we really need this data? Can we get away from not collecting this, right? So if we don't need it, don't collect it. 

‍

As I mentioned, privacy is not a new concept. And most of the time, privacy is either legal or reporting the security, and the biggest challenge that privacy professionals or privacy teams face is one of the challenges is here legal agrees that this is how we can move forward or this is what our policy says. So we are good to go from business aspects, and Security says we are protecting the data, right? And you cannot choose one or the other or one over the other. Right. So privacy, as a function, should have the ability to make or help businesses in driving data decisions. So that's where the biggest challenge is making everyone understand that, yes, it's a legal aspect. But still, at the end of the day, if you don't build consumer trust by protecting our by utilizing the data in the way that we are mentioning in our privacy policies, then there are chances that we might lose the business itself, because the digital trust or as they say, is more important for the consumers these days. So some of the challenges we face is explaining the separation of duties from Legal and Security.

What has been your experience engaging technical or developer teams?

When the privacy by design concept was tossed, right? Working with the development teams to make sure that they understand what data is being collected and how they are processing the data. And working with the development teams right at the product development stages is a little bit tough. So shifting left is always helpful in engaging the development teams or the technical teams because once we have already collected the data, now, the only option you have is to protect that data, right? 

‍

So if you shift left a little bit and start talking to these teams at the architecture phase, the design phase, then privacy by design, as a concept, can be implemented by using data minimization techniques and anonymization techniques. Because once you build the product, making the changes is always costly. And the cost goes grows exponentially. So that's where having that concept and making sure that you're aligned with the Agile release trains and, you know, making sure that you're involved as a privacy professional at the design phase will definitely help and training to provide training and awareness to these development teams. 

‍

So that when they are writing the code, they can understand that, hey, if I'm collecting the data, at least let me think about anonymizing it or probably masking the data so that you know I don't display the whole thing or encrypt the data or obfuscate the data in the backend. So some of the concepts will definitely help.

What are some best practices to share or pitfalls to avoid when trying to ensure data privacy?

I mean, one thing I would say is, achieving success in a privacy program is a marathon, it's not a race, you need to be patient, you need to understand the business, you need to make sure that everybody is trained, providing this awareness. Building privacy champions across different verticals in the business will definitely help. Right. So as a security industry, as any other industry, we all face a resource crunch, and make sure that you're not fighting alone, build those privacy champions across the teams so that they can be your voice. And they can enhance the privacy of your product or organization by talking on your behalf, because you cannot be present everywhere in every meeting or every release cycle. So what you can do is by building these privacy champions, you're giving an opportunity for everybody to raise their concerns and make sure that privacy is at the forefront of the technology innovation. So

What predictions do you have for Data Privacy in 2023?

As we have recently seen in the news, like Meta [Facebook] getting fined, many companies, even FTC, are aggressively levying fines. So I would say more privacy and regulatory fines will happen in 2023. Because everybody's trying to understand what these regulations mean. And CCPA has given ample amount of time GDPR has given ample amount of time for people to understand and rectify. So one, I would say privacy, and regulatory fines, watch out for those.

And two, children and healthcare data take center stage because protecting children's data would be the key for any organization, and especially in the online space or internet era that we are in, children have more access to technology these days, having a seven-year-old at home myself, I'm worried what he's watching on an iPad or an on our phone, right? So, when even healthcare data is protected, children's privacy would be the key. So there will be more regulations or more, more regulatory requirements coming up in these aspects.

‍

And the third one would be, as we all heard, you know, keep listening about artificial intelligence. So watch out for the AI dark patterns. That is the third one.

What does Data Privacy Day mean to you?

Last year, what we did was we kind of provided some training are sent out some flyers across. So on privacy day, we usually try to send out these notifications or even the flyers or even some kind of announcement to people to make sure that they understand that we have a privacy policy and what it means to you, and how you protect your data. And in the previous organization, we distributed the cam protectors. So you can just put a sticker around the laptop webcam. Building training and awareness is the key. 

‍

Because that's, that's what makes everybody understand we all know that in the internet space. Once you share it, it's out there forever. Just make sure that you understand the risks of sharing or oversharing the data and your data is gold. And the data drives these days. So, you need to ensure that you're not giving up your privacy just for the technology enhancement or probably just for ease of use.