[ad_1]
When some people talk about “privacy by design,” they mean inviting someone with the word “privacy” in their title to sit in on a product meeting.
But building privacy into system design, operation, and management must begin earlier than that.
Otherwise, businesses are heading for regulatory cuts.
“If companies don’t get into the code, they’re missing out on a lot of what’s going on with the data in their organization,” said Peter Swire, a law professor under Presidents Clinton and Obama and a former White House privacy chief. Consulting Privya, a small, early-stage privacy technology startup.
Better security than you know
Previa, which came out of stealth mode in August with $6 million in seed funding, has an AI-powered scanner that examines the company’s software source code before it goes into production to check for data protection issues.
The scanner automatically processes the flow of personal data and identifies where it is collected, how it is used, and where and how it is stored, including whether third parties have access to it.
“If you don’t de-risk from the get-go and wait until everything goes into production, that’s not stealth by design,” says Pravia founder Uzi Haddad. “At that point, a company is already exposed.”
But companies can use the technology to scan existing code and look for vulnerabilities.
When Pravia Scanner encounters a problem, it integrates with project management solutions including Jira and Azure DevOps to automatically create a ticket to escalate to the customer’s engineering team.
Less technical people like board members or data protection officers can run more advanced reports and view dashboards that summarize Pravia’s findings.
Putting ‘AI’ in privacy
Automation is the lynchpin of Privya’s process.
Without it, compliance becomes complicated very quickly, Swire said, noting that compliance is about more than just following rules.
As a result, platforms (hey, Apple) are undergoing privacy-related changes that have a rapid and profound impact on how companies operate.
“As requirements change, companies need to know which of their existing practices they can or cannot continue,” Swire said. “And if you have a deep understanding of your code base, you’re in a better position to do that.”
It’s also good law – and requirements under certain privacy regulations, including the GDPR in Europe – for companies to record the personal data they process and keep a record of that activity.
But doing that manually introduces the potential for human error and makes it difficult to demonstrate compliance quickly if an inspector comes knocking.
“There’s a lot of risk involved in staying on track,” Swire said.
Swire’s POV
And Swire knows what he’s talking about. His privacy is well established.
In addition to his past work with the White House, he is a professor of law and ethics at Georgia Tech, a senior fellow at the Future of Privacy Forum, director of research at the Transboundary Data Forum, and senior counsel at Alston & Bird. Privacy, Cyber and Data Strategy Group.
(And Swier was one of the toiling foot soldiers in the ill-fated pit as co-chair of the W3C’s Monitoring Protection Working Group between 2012 and 2013.)
Although the privacy tech space is growing — the International Association of Privacy Professionals reported a 777% increase in the number of new privacy tech vendors since 2017 — Previa is the only privacy tech startup that Swire recommends.
It attracted the company because it “illustrates what we call a ‘left shift’ in privacy,” said Swire, which involves being proactive and eliminating problems before they happen.
Because it is impossible to avoid scrutiny from politicians or platforms.
President Joe Biden said in his State of the Union address in February that Apple does not support data privacy, particularly AppTrackingTransparency, browsers are becoming more aggressive about blocking cookies, and there will be five separate government privacy laws by the end of 2023. Laws throughout the US.
Although chief privacy officers and attorneys help guide a company’s approach to privacy compliance, privacy management is increasingly an engineering issue.
“Lawyers cannot handle the complexity of data flow on their own,” Swire said. “It takes software and engineering to provide any assurance that privacy is being built into performance.”
[ad_2]
Source link
