As a software company, there are many components to consider in your Privacy Programme. You have your own employee and personal data to worry about, while simultaneously worrying about information you may have in a hosted environment or cloud solution. You generate information at a rate of knots, and you are (probably) flying by the seat of your agile pants. Kicking off a privacy programme in a software company is adding more overhead to an already lean process, so how do you go about incorporating it in a familiar way? By releasing and managing your privacy programme the way you manage your SDLC.
Building a privacy programme is like building software
The initial slog to get to your first release is a lot of effort, but once it’s released, you enter maintenance. You address bugs, add new features, and enhance existing components. The same applies to your privacy programme. Once you’ve got to release 1, you’re already way ahead.
You’ve got to track issues
Part and parcel of your programme is tracking issues. Depending on just how bootstrapped you are, you could be doing this in a system like Jira or Monday.com, or you could simply be using Excel. While Excel is not ideal (you want a system with many to many relationships for risk management), it’s at the very least a start and can show that you are actively addressing privacy in the organisation. A key principle of privacy law is “Accountability”, you demonstrate this through your policies and issue tracking.
No single component is going to do everything
Much like including a library or component in a build, you’re not likely to find one component that covers every bit of functionality you desire. In privacy, there are many purveyors of snake oil that claim that installing their software or hardware will make you compliant. This is simply not the case. Your compliance journey includes policies, processes, business activities and cultural changes – no software or hardware is going to encompass all of that. “Compliant” is a misnomer, in that it’s an ongoing journey. By all means support your compliance efforts with tools that support it, but be aware that there are many more aspects to privacy than a software package can address.
Take a lean approach
Build. Measure. Learn. Take the approach of a Minimum Viable Product when it comes to privacy. Hit the high risk items first and get your programme out there. It doesn’t matter if it isn’t perfect, what matters is that you’ve started. Privacy requirements – in particular mapping your activities and data flows – can be a rabbithole that you head down. If you agonise about perfection, you’ll never get the programme out the door. Build a first release. Measure its performance. Learn from your measurements. Add to the build.
Continuous Integration is your friend
As you are addressing privacy and building on your programme, take an approach of continuous integration with the business. Keep privacy rolling and keep working on your programme – releasing it to the business as and when you complete smaller items. Taking a waterfall approach can certainly take too long what with only having 11.5 months left to comply with the regulation!
Secure by Design and Privacy by Design
You develop your software with security in mind (I hope) and sanitise inputs to avoid SQL injection and so forth – you should be designing your business the same way when it comes to privacy. Be aware of the inputs of data that come into the business, address whether you need to sanitise them (and whether you actually need that info in the first place), and store them in a secure, well structured manner. Knowing where data comes in and where it is stored goes a long way in identifying gaps in your process and methodologies.
Have a Scrum Master (or similar)
You need someone guiding privacy in the organisation, but they don’t need to be doing ALL the work (in fact that is quite dangerous). For mapping processes within a business, you want the teams that are at the coal face to be involved. Your Information Officer (South Africa) or Data Protection Officer (Europe) needs to facilitate the programme, asking the right questions, following up, and creating a privacy culture in the organisation. Privacy is a big space, and delegation is important, as is dedicating time to the programme.
If you’re finding that dedicating time to designing and implementing a programme is difficult, or that legal consultants don’t understand the software environment in practice, give us a shout! Ross G Saunders Consulting offers a number of solutions that can drive your compliance; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings available, book time directly with Ross using the calendar below.