A review of Data Privacy: A Runbook for Engineers
I recently had the pleasure of reading the book, Data Privacy: A runbook for engineers by Nishant Bhajaria. Data Privacy dives into the complex, legalistic world of how companies collect and process personal consumer data while protecting consumer rights. We're all busy professionals, and it can be tough to decide where to spend our time. Wondering if it's worth the read?
As an engineer who dove headfirst into data privacy in mid 2021, I believe this book is a must read for anyone who is responsible for design, architecture, or development of software that collects or processes personal user information. (And in today’s data-centric world, this is most companies!) If you fit this profile, you’re part of your organization’s data privacy “puzzle” and it’s essential for you to understand the value you bring to creating a solution.
Before you commit to picking up the book, read on for my engineer’s take: who will really benefit from reading it, who won’t, and a few important data privacy topics that Bhajaria left out.
Who should read this book?
I believe this book should be read by all the technical roles within an organization that collects and uses personal data for various purposes. However, non-technical professionals including the CIO, CISO, CTO, product managers, and others can benefit as well.
A Synopsis for Non-Technical Readers
For the non-technical audience, Data Privacy is bookended by chapters covering what is data privacy, why you should care about it, determining where you’re at with your data privacy maturity, and how you can scale it as your business grows. The middle of the book gets into the technical details of creating a privacy discipline within the engineering teams. Non-technical readers may feel a little over their head during these chapters, but it will prepare you for the types of conversations that will occur with and between the engineering teams.
A Synopsis for Technical Readers
For the technical audience, Data Privacy provides a framework to guide architects and engineers through the various stages of creating a holistic privacy program throughout an organization starting with understanding what information you have through data discovery. Then moving on to implementing data access controls to restrict the amount of personal information available for data processing to the legal purpose for which it was collected and developing a consent management platform to collect the user consent.
Who should NOT read this book?
Despite its value for a wide range of professionals, this book isn’t for everyone - yet. Some of the tools, technologies, and architectural concepts Bhajaria discusses may leave an individual newer to the engineering discipline finishing the book with a false sense of understanding how data privacy fits within their organization.
Bhajaria paints the picture that there is no one size fits all approach to data privacy, but this false sense of understanding will create an impression that data privacy is black and white, when in reality it’s shades of gray. Speaking from personal experience, the individual gets frustrated thinking about why their organization, and potentially colleagues, aren’t taking data privacy seriously.
Where Data Privacy: A runbook for engineers fell short
Data Privacy does an excellent job going through the ins and outs of building your own data privacy program within an organization, but there are a few topics where the book falls short.
Build vs. Buy
One of the biggest decisions a team will make relative to their privacy program is whether to build it in-house, or partner with a trusted vendor. Bhajaria provides great instructions on how to construct a data privacy program in-house, and I get the sense the author has a strong affinity towards building an in-house solution. However, I do not believe he goes deep enough into the build or buy decision.
When deciding whether to build or buy a privacy solution, there is one question that will help drive your decision: is privacy a core feature of your product, or is it a business requirement?
As an engineer who was once strongly opposed to buying solutions because we had a very strong engineering team in-house, I can say without a doubt that if it’s not core to your product offering, you should strongly consider an off the shelf solution. This is because you want your very competent engineering team working on features that provide value to your customers.
And if data privacy is a core feature of your product, don’t reinvent the wheel where you don’t have too. Look for solutions that can take some of the core complex components of data privacy, like utilizing Ketch’s permit vault for storing a visitor's consent choices, or data discovery and classification appliance.
Bhajaria devotes a chapter of the book to discussing consent management platforms (CMPs). While the discussion was good, he missed an opportunity to talk about consent propagation.
Consent propagation is the CMP’s ability to immediately communicate a consumer’s consent decisions (while on the company website) to relevant business systems storing the data. 1st party data collection and processing tools, as well as 3rd party services living on the company’s website collecting and processing information about the site’s visitors on behalf of the company.
For example: say my organization uses Marketo for marketing automation purposes. Before Marketo can start collecting information, the consumer must provide consent via our company’s website. Once they’ve provided consent, the CMP propagates this consent signal to Marketo, which will start collecting information and processing it in accordance with the purpose for which it was consented.
The same holds true when a visitor removes a previous given consent. The CMP should propagate the consent removal to Marketo, and Marketo should cease data collection and processing for this visitor immediately.
This is a simple scenario, but on most websites there are many 3rd party services collecting and processing visitor data on behalf of the company for various purposes. Each purpose comes with its own consent. Depending on whether the visitor consented to using their data for analytics and not for marketing purposes, the CMP should be able to ensure only data collection for marketing purposes is terminated, while data collection and processing for analytics can continue.
As Bhajaria stated throughout the book, data privacy is a partnership between many teams within an organization. To ensure all stakeholders are satisfied, it’s imperative that the CMP implementation be as frictionless as possible from the visitor’s perspective. You will want to ensure the CMP, whether built internally or purchased through a vendor, has enough horsepower and availability to provide a buttery smooth experience to your visitors.
In summary: a great data privacy primer
While there are topics within the book I feel could be expanded upon, the author does an excellent job providing an overview of what data privacy is, a few of the more prominent data privacy laws out there today, what role we play in data privacy, how to plan a data privacy program, how to actually build a data privacy solution, and how to scale it as your organization grows.
I still stand by my statement (with an asterisk 😉): this book is a must read for anyone who is responsible for, designs, architects, or develops software that collects or processes personal user information, especially in today’s data centric world!