How To Embed Data Protection Principles in the Application Development Process

The pace of digitization over the past two years has accelerated due to organizational needs driven by the ongoing pandemic. And that has meant that there's an ever-increasing flow of data now passing through digital channels that nobody anticipated. And for developers, it has spotlighted the importance of implementing clear data protection standards in everything they do.

But for developers who've never written software that requires a careful approach to data protection, it's not always obvious how to convert best practices into development standards. To help those who lack experience with embedding data protection standards into their development process, here's a guide to what they need to do.

Understanding Privacy by Design

To create a software development process that considers data protection every step of the way, it's first important to understand the concept of privacy by design. It's a concept developed by Ann Cavoukian, the former Information and Privacy Commissioner of Ontario, Canada. She suggested a set of seven foundational principles that — when adhered to — lead to products that include privacy by design. Those principles include:

• Taking a proactive and preventative approach to data protection
• Making privacy a default setting through UX design choices
• Embedding privacy into products by making it central to its function, rather than as an add-on
• Embracing the philosophy of positive-sum design
• Building security features for the entire data lifecycle
• Including transparency to shed light on data handling procedures
• Making privacy-related decisions user-centric

But it's important to recognize that principles aren't actions — and it's all too easy to stray from these principles during the development process. To avoid that, you need to include some checks and balances that will help keep your software development workflow on track and in line with them. And here's how to do it.

Perform Data Privacy Impact Assessments Early in Development

As any developer familiar with the EU's GDPR can tell you, data privacy impact assessments (DPIAs) serve as valuable roadmaps to keep data protection front and center. But for developers who've never had to deal with developing software or systems subject to the GDPR, they may be unfamiliar. A DPIA, in a nutshell, is a process designed to identify the types of data your software will process and to seek data protection solutions for them.

In other words, it's a deliberate breakpoint that forces you to think through the privacy implications of what you're building before you build it. Then, you can make design choices that avoid or minimize any risks to the data you're working with. And according to IBM, embedding a DPIA early on in your development process will help to solve data protection issues before they're baked into your design.

Make Data Minimization the Default

It's also a good idea to add a procedure in the development process that evaluates the scope of the data your application needs access to. The purpose of that evaluation should be to arrive at a development plan that achieves data minimization. In practice, this means looking for ways to build your software while using the absolute least amount of sensitive data that you can. That will decrease your application's attack surface and give you fewer things to harden in your code.

This is especially critical when you're designing any application that will handle personally identifiable information (PII). Data minimization is a key part of operationalizing the principle of taking a proactive and preventative approach to data protection in your design. And where PII is concerned, you must consider how your application would fare in the event of a successful breach. It's easier to eliminate sensitive data at the design phase than to rely on identity theft prevention measures after the fact.

Consider the Data Lifecycle

As developers, it's easy to focus on functionality and lose track of the bigger picture involved in what you're building. And that's a habit that's incompatible with putting data protection first. That's because data protection doesn't always end with your own code. It extends to everything that will eventually interact with it, too.

So, for example, if you're building software that's going to pull data from outside sources, you must consider how and where the data comes from, and what your code will do when it finishes with the data it uses. That often means building limitations on storage and functionality to purge data after use so it can't be retrieved. And in the case of user-facing features, it often means giving those users the ability to trigger those purge functions themselves if they need (or want) to.

Data Protection From the Ground Up

The bottom line here is that developing software and systems that handle data responsibly and keep it safe from unauthorized actors is something that must begin at the earliest stages of development. Otherwise, developers end up forever chasing vulnerabilities and looking for complex solutions to data security problems that could've been avoided.

But the good news is that altering the development process to put data protection first isn't hard. And by doing it, every developer will contribute in some small way to enhancing user privacy and creating a safer digital world for all. At a time when society's reliance on digital channels is continuing to increase, that's a goal that developers the world over should share.