Despite the recent wave of new regulations and shifting consumer expectations, it’s still common for businesses to treat privacy as a bolt-on to appease a collection of ever-changing compliance checklists. However, as CPOs and their teams await the next installation of regulation from governments around the world, it’s already clear that most regulators are interested in far more than ensuring consent and transparency.
They’re looking at the results of abusive or exploitative data practices such as discrimination, deception, and inequality. And although a lot has been written about the anxiety and uncertainty inside even well-intentioned companies attempting to comply with a seemingly moving target, there isn’t enough discussion about the engineering practices CPOs can champion to minimize thrashing for their teams as new protections become law.
Adopt a clean technical framework that scales with change
Messiness caused by poor systems design and operations built over time creates inevitable debt and cascading dysfunction downstream. Demonstrating compliance with any future privacy or data regulation will require an auditable source of truth for data processing so that engineers and lawyers are not forced to make critical decisions on the basis of inaccurate assumptions, or incomplete or misleading information.
The solution? Adopt a core technical framework where privacy controls can be applied to any new or existing system. For example, it should be easy for a developer creating a system to hook into your core personal data deletion process. In environments characterized by continual change, completeness requires dedicated and vigilant systems management. This goes for SaaS data stores too – as teams procur new vendors, these systems should also interface with your data governance workflows.
Strengthen inconsistent or unreliable services
Infrastructure engineers keep important, business-critical systems up and running despite natural disasters, neighboring systems outages, or configuration errors. Outages or poor performance in services responsible for data deletion, logging, or user communications can quickly escalate into compliance violations. Regardless of the specific deliverables required by individual regulations, you need to be confident that your technical systems can reliably enable users to exercise their rights under the law such as data access and portability requests, data deletion, or opt-out preferences. Maintaining effective failover and incident response protocols means systems critical for privacy procedures are classified as “Tier 1” by engineering organizations. This will provide a solid technical foundation for any additional legal requirements that need to be built later on.
Map and classify data
This is a basic requirement for nearly all existing privacy regulations, so you may already be working on developing a strong framework for tracking where and what data you have. However, because this is often a time- and engineering-intensive endeavor, it’s a good idea to leverage as many opportunities as possible to refine, mature, and expand your visibility and understanding of the data that exists inside your organization. Existing privacy regulations and proposed measures all intend to ensure protections and controls for data usage, access, and deletion. This makes data mapping and classification critical for current and future laws moving forward. No matter the final details dictated by law, compliance is only possible when you know exactly what data you have and where it is.
Maintain version control for database schema
Ensuring your engineering organizations are using the same version control tools for your database that they use for application development to ensure that all teams have access to the latest version of database code. Maintaining a single source of truth with a full audit trail for regulatory compliance is critical should you need to remediate or explain any changes that impact user data. This is particularly important for privacy to avoid code clashes or inconsistencies that might break processes for delivering data rights to consumers such as access to their personal data.
Automate where possible
With production engineering and version control in place, CPOs can look to automate parts of their privacy processes further down the pipeline to make them more reliable. For labor-intensive privacy requirements such as data access or deletion, automation helps reduce manual errors, demonstrates a clear process, and provides an audit trail for customer and regulatory assurance.
New data privacy and protection requirements also add extra concerns for data backups. For example, given that data should be held for no longer than is necessary, it will need to be removed from backups as well as the original database itself. Backups also need to be protected and managed in a documented, compliant manner. Understanding, refining, and improving the way backups are maintained at your organization in between legislative sessions is certain to pay off for any flavor of privacy or data protection mandate that lands on your plate.
While uncertainty poses challenges for planning, strong and reliable technical systems – and relationships with the people who manage them – is one of the most important investments businesses can make in reducing friction to compliance as new and urgent regulations emerge from domestic and global markets.