written by Chris Handman, Co-founder & COO
If we’re honest about where we’re at today, many companies have a privacy problem. And it’s easy to understand why. As I mentioned in our first blog post of this series, for too long privacy hasn’t been considered or consulted in the pre-deployment phase of product development. Instead, privacy is shunted off to a reactive silo, often consulted late — if at all — when the business launches new initiatives.
The good news: For businesses that want to compete in today’s marketplace, privacy’s lonely isolation isn’t sustainable anymore. That’s because much has changed in the last five years. For example, Europe passed the GDPR. The FTC has continued to hand down record-breaking fines against companies for privacy missteps. And five states have adopted their own sprawling privacy laws in just the last four years.
The pressure is on.
It’s a pressure I’m familiar with. In 2014, Snap (now Snapchat) hired me as its first general counsel to guide it through (among other things) a recent consent decree with the FTC, which required Snap to operationalize a privacy-by-design program, as well as endure 20 years of FTC audits.
It’s hard to overstate how effective an FTC consent decree can be at focusing the mind. My colleagues and I went to work fast and hard, and we slept very little. But having had time and space from it, I can say we also gained insights we probably wouldn’t have had outside of that pressure-cooker environment.
For Snap to make it in the long term, it had to reframe privacy’s importance by moving it from its historic reactive silo to an early-and-often, pre-deployment collaboration with product teams and engineers. At the time, it felt like a Herculean task. Sure we had top-down support thanks to the crushing pressure of a consent decree. But privacy by design had always been an academic idea, and suddenly we had to operationalize it.
And to up the degree of difficulty, Snap was shipping new, innovative features at a dizzying clip. Coming up with a privacy program that sussed out risk but bottlenecked the pace of innovation wasn’t an option. We needed to find a way to harmonize both rigor and speed. But back then, the only playbooks that existed were written for massive companies with lumbering product life cycles. No one had written the playbook for how to build privacy into fast-moving agile development.
So we had to write the playbook from scratch. We had spreadsheets, we had binders, and we had questions.
Today, SaaS products have gifted us more sophisticated ways to build products with privacy at the fore. In fact, I co-founded TerraTrue to do just that. But the purpose of this blog series isn’t to sell you our product, it’s to invite you to a movement.
To move, we have to nudge our companies to shift our function to the earlier stages of deployment. And there are ways to do that without causing confusion or discontent.
Learn how to roll out pre-deployment privacy
Here’s where I’d start.
Make small changes, grow them later
It can feel overwhelming to build an effective privacy program from zero. But you don’t have to build Rome in a day. You’ve got to walk before you run. You can’t boil the ocean. Whatever your chosen metaphor, there’s real truth in these cliches.
So start small. Take a pragmatic and measured view of where your organization is at, and know that your plan doesn’t have to be absolutely pitch-perfect from the get-go. Plus, being comfortable with a little bit of ambiguity early on will allow you to iterate later.
Focus on established essential core components you’ve deemed key to your program’s success. Once you plant those foundational seeds and the program starts to work, the long-term vision will unveil itself organically.
Establish allies and start talking
Once you’ve established priorities, you should start evangelizing your plan with key allies. Focus on reaching out to the strategic teams that must be involved and meet them where they’re at. If you show up fist-waving with a top-down declaration, you risk alienating key champions. Frequent communication will be key to building this program, and though some might anticipate grumbles at the thought, I found it inevitably built a sense of morale that hadn’t existed before. We learned each others’ pain points, we found common ground, and we moved forward in sync.
Find the right meeting place
In addition to identifying allies, you might consider implementing a virtual space for strategic teams to interact as you plan, build, and deploy products.
At Snap, for example, we hewed to an agile development regimen, producing feature-rich deployments every two weeks. Just having visibility into that roadmap and knowing what was shipping each sprint was one of the biggest hurdles we knew we had to clear. So we built a launch calendar to give each relevant function, privacy included, visibility on the build from the ideation through implementation.
This was nearly a decade ago, before today’s automation tools that make collaboration seamless. Back then, our desktops were decorated in spreadsheets and a glorious mess of open tabs.
But we had to sift through the mess to get a look at what we were dealing with and establish a system to interact with product teams early. Having visibility into what we faced as a new product or feature came down the proverbial pike changed everything. The privacy team no longer felt sandbagged and frustrated just before a product shipped because we walked right alongside its build with the product and engineering teams. We identified concerns while there was still time to make edits, and that made everyone’s lives easier.
Iterate as you go
As you move and experiment, ask teams for feedback on what’s going well and what’s not. As your program changes take shape, you can start to fine-tune and optimize for your desired end result.
Think of the Shift Left process as a grassroots movement. It requires active participation from disparate corners of the organization. But you all share a desire for the same outcome: Great products that make your customers happy and keep the regulators away.
The sooner we Shift Left, the more likely that is.
In the next blog post in this series, we’ll talk about potential pitfalls as you operationalize these early steps and stages.
About the author:
Chris Handman
Co-Founder & COO
LinkedInBefore co-founding TerraTrue, Chris was the first General Counsel at Snap, where he built the company’s legal, compliance, public policy, and law-enforcement teams. During his time there, Chris developed a transformative privacy program that coupled rigorous review with tools and systems that were nimble enough not to restrain the relentless pace of execution. Chris is a Homeland Security Project fellow at Harvard’s Belfer Center for Science and International Affairs. And he’s constructed two crossword puzzles that have been published in the New York Times (one of which was featured on the Colbert Report). He graduated from Yale Law School.