Accelerating digital road maps by seven to 10 years likely left you with some things to review from a security perspective. Please check out the first post in this series for what you might need to review to securely support your remote or hybrid workforce, as well as a checklist for consumer-facing apps.
Security isn’t the only thing that can get overlooked when we go fast. As well as implementing technical protections — we also need to understand what and how the data and how impacts the humans that use technology. This is where privacy comes in. Privacy is having a critical global impact on software development because consumers, businesses, and governments are demanding that technology operates in a way that complies with legislation like GDPR (General Data Privacy Regulation), CPRA (California Public Records Act), APPI (Act on the Protection of Personal Information), and LGPD (Lei Geral de Proteção de Dados Pessoais). This is an opportunity to rethink exactly what and how much data is collected, how it’s used, and who gets to see it. It’s a turning point where individuals are no longer blithely accepting that massive amounts of data about them are being created, shared, and used.
At Auth0, I regularly collaborate with our vice president of privacy, Lucy McGrath, and she is a part of my organization. For this series, I asked Lucy for her perspective on data privacy mistakes companies can make when they move fast.
An integrated approach is essential for security and privacy. There’s a saying if you want to go fast, go alone, but if you want to go far, go together. This is changing — you can’t protect privacy alone. If you go alone, you won’t go anywhere. “Ultimately, data privacy is about trust,” says Lucy. “And it’s a collaborative effort. You can’t think about security or data governance, or privacy in isolation. You need to work across departments within your organization and also listen to your staff and your consumers/users. From a practical standpoint, you need to work with others even beyond your immediate business — data privacy regulations are changing rapidly —technical solutions are essential in order to scale privacy compliant technology. If you don’t collaborate, you’ll be left behind.”
Lucy’s insights on remote/hybrid workforces and consumer-facing apps can improve your workplace culture and improve your relationships with your customers — and keep you focused on your business rather than dealing with regulators and potentially incurring large fines.
Put Your Focus on the Human
“Probably the most important thing to remember when thinking through data privacy is that you’re delivering a service that impacts humans,” says Lucy. “We can get dazzled by what technology can do, but the technology is really there to help the humans accomplish something. Centering on the human who needs to use or benefit from the technology helps you to focus. — and align with existing and emerging data privacy regulations.”
As always, this information is shared from the perspective of business impact and planning. For how data privacy regulations apply to your specific business situation, please reach out to your legal counsel.
Auth0 recommends you always consult legal counsel for specific advice about compliance with legal requirements.
The workforce mix: remote, hybrid, in office
If your company relies on a globally dispersed workforce (or acquired one during the pandemic), you’re likely dealing with a mix of employees who welcome some office quietly, some still struggling with lockdown requirements, and others who may not expect to see vaccines become available until fall. “As you look at creating or reviewing policies, it’s especially important to remember that there’s a human on the other side of the Zoom screen”, says Lucy. “This is a good time for your HR team to check back in with staff. Circumstances and perspectives have changed for many people as a result of the pandemic. One size definitely will not fit all.”
Understanding that worker privacy rights vary globally, here are some areas to review:
1. How you measure productivity
For organizations used to seeing people in chairs, the shift to Zoom screens caused some anxiety. Interestingly, 75% of 12,000 workers surveyed by BCG in the United States, Germany, and India felt they were able to maintain or increase productivity on individual tasks during the pandemic.
Some of that may have been accomplished by blurring the lines between home and work, says Lucy.
Surveillance technologies like keyloggers, video monitoring, and attention tracking via biometrics have been rising in adoption even before the pandemic. We’re hearing this often says, Lucy: “I like my boss — a lot — but I would find it a bit creepy if she was tracking every word I write, tracking when I popped off to the loo and listening to my family conversations. And it would make it harder to do my job because I would feel unnecessarily surveilled. It’s really important to assess the correct way to protect data and maintain trust with your employees as humans. Especially with workers working from home in potentially cramped situations, you could be gathering data you don’t need and shouldn’t have.
“Workers generally know that emails are subject to company oversight nearly everywhere, but it’s essential to be transparent about monitoring activities across all applications and devices. Transparency also encourages trust and increases the likelihood that individuals will report issues/mistakes they encounter. Tell them about how long you retain the data, and why and be sure to check local rules about internal and external data sharing — they can vary by region and even by state in the United States. It’s important to only keep what you really need to perform a task,” says Lucy.
2. How do you encourage collaboration?
Nearly everyone became Zoom-literate in 2020. Many people were introduced to Slack or other collaboration tools, and some folks also mixed in personal texts. “As great as these technologies are — and I am speaking as someone who enjoys working with a globally distributed workforce — they’re not going to replicate the physical space. From a privacy perspective, some small changes can mean a lot to employees,” says Lucy.
“Some people enjoy having dogs and kids flow in and out of their workplace. Others prefer to keep things separated. Over the last several months, I’ve noticed some colleagues making different choices.”
Things like Zoom backgrounds can protect employee privacy, but only if they know how to use the tools. If you’re using a collaboration tool like Zoom or Slack, document expected uses, alternatives on offer (as applicable) and make sure employees know how to use tools like Zoom backgrounds.
3. Onboarding can protect against data breaches
Normally, we bring our new employees to our Bellevue, Wash. offices for onboarding. This in-person connection brings all kinds of benefits, including protecting data. “Onboarding may seem like an odd place to bring up data privacy, but people are more likely to feel comfortable reporting potential problems or even breaches when they have formed a connection to their colleagues,” says Lucy.
Establishing connections may mean creating social events (likely on Zoom) or connecting employees for non-work meetings. We have an app that randomly pairs employees for casual chat sessions we call “donuts.” It’s a surprisingly effective way to establish connection and get to know about the day-to-day work life of far-flung colleagues.
4. Security and Privacy of Customers is Key
“We’ve had workers who used to be home by themselves all day, suddenly have teenaged children pass through meetings on the way to the fridge,” says Lucy. “It’s charming, but it also means that family members might see things they’re not meant to see. You need to recognize that not everyone has the luxury of a room with a door and a lock. Protecting customer security and privacy is key.”
To your security protocols, Lucy would also suggest adding:
- Headphones so you can control what can be overheard (and coaching that awareness with your teams)
- Privacy screens for monitors
- Printed material (and the printer) needs to be kept in a space that remains locked when not in use
Data Privacy Checklist for Consumer-Facing Apps
COVID has brought populations that are used to trust in physical environments online, says Lucy. This is part of why in the UK we’re seeing increase in delivery text phishing scams where additional funds are requested for delivery. Many of these ploys play on user trust and the expectation that information is being shared securely. We’ll get deeper into how consumers are demanding a secure and contextual private experience in the final post. As preparation, here is a data privacy checklist. Please follow up with your legal counsel on your specifics.
- Review what you’ve got and why you’ve got it and how you’re getting it. It’s not uncommon for apps to gather more information than is necessary to do the job. You need to know what data you have and why you’re collecting it as well how it’s stored to comply with regulations — and to know how to safeguard your customers’ data. This includes third-party vendors and your marketing teams.
- Make sure your code only collects data you really need. The days of data gluttony are coming to an end. Individuals are rightly fed up with the attitude of “just because you can collect as much data as possible, you do. Ask yourself: do you use all the data you collect? Don’t be afraid to reduce the amount of data you collect when you update your app or add new products. Look for opportunities to innovate by using privacy-enhancing technologies to mask or anonymize, or de-identify data. And safely delete the information you don’t use.
- Know where your customers are and check out the regulations. While the EU’s General Data Privacy Regulation (GDPR) has become the benchmark for data privacy, not every regulation is GDPR. There are differences. Children also often have extra protections. Once you’ve identified where and who your customers are, work closely with your legal counsel to design the right approach.
- Securely delete info and keep a record. Maybe you’re deleting information due to a verified request or because you have data you actually don’t need; either way, you need to keep a record.
- Make sure you have someone responsible for privacy who respects the humans interacting with your app. This stuff is not simple. You need someone who looks after it.
- Look out for service departments or social media complaints. Complaints can show you how the public perceives their data is being used — and identify areas that need your attention.
- Communicate clearly with your users. Users often need to know how to unsubscribe and other rights as part of data privacy regulations.
- Do as you would be done by. Think through how you’d like your data to be treated. That’s a good guideline. But also think about the specific customer base - what’s their perspective and might they require additional protections (e.g., if they are a vulnerable group).
- Consult your legal counsel. Data privacy is a rapidly evolving field. Lawyers really are your friends! Please check in with your legal counsel regularly, and especially if you’re thinking of expanding into a new region.
Learn More about Identity’s Role in Your Data Privacy Strategy
As Lucy says, you can have security without privacy, but you can’t have privacy without security if you’d like to learn more about how a robust identity solution can support your data privacy and security strategies, please reach out to the team at Auth0.
In the final post in the Acceleration Response Series, we’ll look at how creating a long-term plan for security and privacy can help you meet consumers’ demands.
Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.