Privacy and security should not be an add-on, after thought or after-breach consideration. When it comes to product design and development, it should be rolled into the core functionality.
Poster: 7 Laws of Identity by Kim Cameron
Development and design should be approached in a holistic, integrative and creative way, moving away from a reactive model to a proactive one.
It is essential that all interests and objectives, including privacy, are documented, and that desired functions are articulated and metrics agreed upon and applied. Reject trade-offs in favour of finding a solution that enables multi-functionality.
Privacy expertise must be available and engaged throughout all phases of the workflow, not purely at development or design stage, bringing an appreciation of client expectations.
As a product manager, consider the following.
During design and development, could we:
- Design reporting features that allow users to be notified of how personal data is being collected by our application, and whether any exceptions to their privacy preferences have occurred;
- Provide simple, easy to understand user interfaces for privacy controls;
- Use privacy-protective default settings;
- Ensure end-to-end protection of personal data;
- Not require social media registration to access the app;
- Not enable sharing by default;
- Include an option to show users their personal data;
- Unbundle or separate consent;
- Include better user-management features:
- Minimise your application’s access to device data; and
- Integrate privacy by design into the development cycle.
As a product team, could we:
- Find ways to educate users about the risks associated with personal data;
- Conduct annual assessments of privacy and security by design in our product.
- Revisit contact forms, sign-up pages and customer-service entry points.
- Enable the regular deletion of data created through these processes.
At the end of engagement and mothballing, could we:
- Remind users to review and refresh their privacy settings;
- Ensure the contracted retention details are adhered to;
- Allow users to download and delete old data;
- Delete the data of users who have closed their accounts; and
- Delete all user data when the app’s life comes to an end.
Further reading illustrating privacy embedded in design: