Software Development and Data Privacy Challenges
DATA PRIVACY AS A NECESSARY PART OF THE SOFTWARE DEVELOPMENT
Personal information can be used in many different ways. However, nowadays a large scale of data is processed automatically through softwares, reason why the way softwares use personal information has become the most common way, specially in businesses’ daily routine.
Thus, at GetGlobal International we believe that applying data privacy management technics in software development is essential to help building a data privacy culture in todays society. Software engineers and data privacy consultants have become essential privacy practitioners, one being responsible for shaping the way most companies uses personal information and the other for helping the companies to manage the way they use personal information, compliant with the regulations.
Most software engineers already believe that privacy operations constitute an important part of their job, and a better understanding of how to manage the use of personal information compliant with the regulation through the Software Development Lifecycle (SDL) is the best way to truly solve today’s biggest privacy challenges.
The data privacy culture needs to be shaped and, at this point of time, software companies need specialized data protection consultancy to comply with global privacy regulations.
However, data privacy is an on-going process and the data protection landscape has been shaped, reason why most software developers still has a lack of data privacy knowledge and experience.
We believe that the best way to solve modern privacy challenges is through a privacy-as-code approach. That’s why we’ve created Privacy Proof – a worldly used assessment to test softwares data privacy gaps.
Managing data mapping, data access control, data subject requests, business purposed and data erasure requests are just five of the challenges to be address during a SDL.
Historically, lawyers have been primarily responsible for complying with global privacy laws. Of course, legal teams still play a vital role in creating respectful privacy systems. But data privacy consultants usually have the knowledge and expertise to help software engineers manage and address data privacy issues in existing softwares or in developing new ones.
Data Mapping and Data Discovery softwares, privacy engineering platforms, and PETs (Privacy-enhancement Technologies) are just tools that have limited use, if not operated by specialized data privacy professionals. There is no silver-bullet to solve all data privacy issues in the SDL.
Even though software engineers are adopting more privacy-related responsibilities, we believe that the software development team and product managers should definitely get data privacy expert involved right at the beginning of any project, in order to identify the gaps and manage the privacy matters from scratch.
Regarding the existing softwares, a data privacy retrofit is a must and starts from identifying the software’s privacy gaps through a privacy assessment.
GetGlobal International’s Privacy Proof is a “software data privacy compliance assessment” that tests the software in REAL SITUATIONS, presenting a gap analyses and guidelines to help software companies address the data privacy issues.
DATA MAPPING IS STILL AN ISSUE
During a congressional hearing, Peiter “Mudge” Zatko, a whistleblower from Twitter, explained that no one comprehends the extent of data collected by Twitter or how it should be utilized.
In an article published by the Chief Privacy Officer Magazine, GetGlobal International’ CEO, Marcio Cots, presented the technical reasons why a data mapping and a data discovery software have limited used, when it comes to identifying personal information, under the regulations definition.
Given that the majority of data privacy regulations define the term “Personal Data” as “information that pertains to an identified or identifiable individual,” it is apparent that there exist two distinct contexts.
In the first instance, the data subject is identified with clarity, indicating the person to whom the information pertains. Identification may be achieved through various means, such as the person’s name, identification number, or other unique data. In the second instance, the identification of the person would be accomplished through the correlation of data (identifiable). It is noteworthy that data, which in isolation cannot be deemed personal, as it does not directly refer to the individual.
Therefore, the only feasible alternative would be to utilize standardized identification forms, such as ID, name, etc, for instance.
It is important to mention that the search for data would be limited solely to the first context mentioned above, which is through directly-identifying information (identified data subject). It is not possible to do so when there are multiple data variables needed to contribute to the identification of an individual, such as indirect data (identifiable data subject).
Thus, there is no existing software that would be capable of conducting the necessary research without a highly-developed artificial intelligence environment. This environment would need to be capable of crossing distinct scenarios and determining whether or not the person in question is ‘identifiable.’ Unfortunately, such technology does not yet exist.
It is worth noting that without information that indexes the data to the person, it is not possible to make the identification as proposed by these types of software. As a result, the use of data mapping software has limited use for data privacy compliance.
While it is reasonable to assume that data discovery and data mapping tools have some value, it is important to recognize that they are only auxiliary tools. They can help to identify data, but they should not be relied upon solely for determining the quality of information.
Interviews and questionnaires should also be used to determine and organize databases, not only to identify the existence of personal information, but also to identified the purpose why the data has been collected, which is another privacy obligation, as we will further see.
CONTROL THE REASON WHY YOU ARE USING PERSONAL INFORMATION
In California (CCPA Section 1798.100(b)), a business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to … the purposes for which the categories of personal information shall be used. A business shall not … use personal information collected for additional purposes without providing the consumer with notice consistent with this section.
The FTC has the same understanding and the GDPR does not take a different path.
Therefore, there are two things that need to verified, the tasks executed by the system that uses personal information, and the purposes why it is been used.
Once you have completed the mapping, you will have a Purpose Map for each data type that can be utilized to eliminate any incompatible use of data.
To ensure continuous compliance, it is important to identify new tasks and the use of new personal data types in existing services. As it has been previously mentioned, no software is able to scam all personal information (under de legal definition) and much less, its purpose of use.
SOME APPROACHES TO MANAGE DATA LOCATION
It is imperative that your system adheres to one of the six legal bases outlined by the GDPR in every use of process personal information of a data subject based in Europe.
In the U.S., it is mandatory to obtain “affirmative express consent” before collecting geolocation data through any means.
Simply having controls on collecting geolocation data is not enough, they must be reliable and regularly audited to ensure their effectiveness.
Clearly disclose to users what location data will be collected and how it will be used.
Provide users with the option to opt-out of location data collection and sharing.
Implement appropriate security measures to protect location data from unauthorized access or disclosure.
Only share location data with third parties who have a legitimate need for it and who have agreed to protect the data in accordance with applicable regulations.Monitor third-party use of location data to ensure compliance.
SOME APPROACHES TO MANAGE DATA LOCATION
Regulators in the US and EU have recently taken steps to tighten the rules surrounding the collection and sharing of location data. This information is now classified and treated as sensitive personal data. In the US, the Federal Trade Commission (FTC) has issued guidance on the illegal use and sharing of location data. The main focus of this guidance is to prevent companies from sharing location data with ad brokers, which could potentially harm consumers.
The FTC’s guidance is aimed at protecting consumers from the misuse of their location data. The guidance states that companies must obtain explicit consent from consumers before collecting and sharing their location data. Additionally, companies must provide clear and concise explanations of how the data will be used and shared. The FTC also recommends that companies implement reasonable security measures to protect the data from unauthorized access.
CONCLUSION
Fortunately, proactive privacy is indeed achievable. There are different methodologies and workflows that can assist technical and privacy teams in implementing a Privacy-as-Code approach within their software. Our team at GetGlobal International has developed an specific data privacy compliance test (Privacy Proof) for softwares, helping developers with a suite of privacy analysis that simplify the process of integrating privacy into their code.
Adopting a Privacy-as-Code approach will facilitate compliance with evolving privacy regulations and safeguard users’ data rights for software engineers, legal teams, and organizations. The premise behind Privacy Proof is supported by the convictions of software engineers who are increasingly at the forefront of privacy operations. According to their opinions, GetGlobal International’s proactive approach to incorporating privacy into systems design is the most effective way to definitively address the most pressing privacy challenges of today.
Writen by:
Marcio Cots – Chief Operating Officer
GetGlobal International*
*GetGlobal International is an international consultancy that assists companies aiming to comply with personal data privacy regulations based on constant legislative and market updates. We selected the best and most respected experts in Data Privacy in different regions who are worldly specialists in data privacy, offering the necessary support for your company to fit regulations quietly and safely. GetGlobal’s team has helped hundreds of companies from all sectors. They’ve become a reference in data privacy compliance as a complete and multidisciplinary solution