A Quick Guide to Privacy by Design in the SDLC

5 min leestijd

At our annual Application Security Experience Sharing Day in Leuven, privacy expert Bart van Buitenen discussed how to integrate Privacy by Design into the Software Development Lifecycle (SDLC), highlighting the importance of addressing potential privacy issues at every development stage.

Embedding Privacy from the Ground Up
A Quick Guide to Privacy by Design in the SDLC 

Privacy by Design has become a critical principle in developing software. The concept is to inherently respect user privacy by embedding it into the product from the outset, rather than as an afterthought. Integrating Privacy by Design into the Software Development Lifecycle (SDLC) involves proactively identifying and addressing potential privacy issues at each stage of development. But how can an organization set this up, and how can Privacy by Design be mapped onto the different stages of secure software development? At our annual Application Security Experience Sharing Day in Leuven, privacy expert Bart van Buitenen shared his thoughts on this topic. This post is based on his presentation. 

Total recall 

A recent example of how Privacy by Design may well have been overlooked was the introduction of Windows Recall as a key feature of Microsoft’s Copilot AI tool. Recall tracks all activity on a Windows PC and is basically a keylogger. It takes a screenshot with object recognition and stores everything in a plain-text database for three months. This data can be easily retrieved and searched, even by other users of the same computer.  

A white-hat hacker has already released a tool – called Total Recall – allowing to extract data from Windows Recall. And even though the feature is only to be found on a new generation of Microsoft PCs, runs locally and can be disabled, it still has raised concerns in the security as well as privacy community. It is just one of many examples showing the need for Privacy by Design in software development.  

The privacy paradox  

The privacy paradox is real. Despite acknowledging privacy concerns, we continue to use software. Why? Well, first, individuals do face a power imbalance, lacking the leverage to discuss these concerns with major tech companies. Additionally, social dynamics such as peer pressure drive us to use specific technologies in our daily lives, be it Facebook groups or WhatsApp.  

The dilemma of necessity versus choice complicates matters, alongside varying priorities among users. And yet, attributing the entire responsibility of privacy to users is overly reductive and unhelpful. Furthermore, the concept of Privacy by Design, or data protection by design, has transcended its theoretical origins to become a legal requirement now in countries where GDPR regulation applies. 

It’s a mindset 

Indeed, a proactive approach to embedding privacy into technology from the outset seems more than warranted. But what is Privacy by Design? There is no straightforward definition really. For one thing, it is not a checklist. It’s a way of thinking, a mindset of having privacy on your mind from the beginning and throughout the different stages of any project related to personal data, in this case software developm

How to match privacy and security by design 

It seems that in the digital age, security has recently gained more maturity than privacy. So, to think about how to integrate Privacy by Design into software development, the wheel should probably not be reinvented, and the principles of Security by Design can be re-used. The question arises on how Privacy by Design can be integrated into the Software Development Lifecycle (SDLC). Let’s see how we can map Privacy by Design onto the different stages of software development: design, build, testing, deployment and governance. 

Design: addressing basic principles 

The Design phase is the ideal phase to address basic privacy principles. This is the stage to apply ‘Privacy threat modeling’, akin to security threat modeling. First by focusing on data flow analysis—where data is collected, sourced, and stored. Then by applying key principles of data protection such as transparency (informing people that we use their data), purpose clarification (why are we using their data), and data minimization (only use the data you need). In this phase the outline of the user interface (UI) and features set a foundation for privacy considerations. Training for development teams on privacy principles is advisable when design is kicked off, alongside conducting Data Protection Impact Assessments (DPIA) for projects handling sensitive data, as stipulated by GDPR. 

Build: security and privacy aligned 

As we transition to the Development/Build Phase, the focus on privacy slightly lessens but stays significant. Here, the alignment of security requirements with privacy expectations is expected. Essential practices include utilizing test data instead of real data, adhering to secure development guidelines, and conducting code reviews to ensure privacy is baked into the product from the ground up. Testing: making sure it works  

When the product is ready for testing, privacy is to be tested as well.  A number of privacy testing activities can be implemented in this phase, including verifying the logging functions to determine access levels and implementing Data Subject Requests (DSR) protocols to test data access and portability functionalities. This phase ensures that privacy features work as designed before the product reaches the end-users. 

Deployment phase: Trust but verify 

Upon reaching the Deployment or Production Phase, the mantra ‘Trust but verify’ becomes pertinent. Although privacy features are expected to function correctly, verifying through user feedback, real life examples and by conducting regression testing are essential steps to ensure continuous improvement and adherence to privacy standards. 

Governance phase: more than a checklist 

Privacy by Design is not about going through check lists alone. It requires building a privacy culture as well, as part of a larger process and long-term commitment. It needs implementation on an organizational level, driven by management sponsorship. The ideal environment is one where everyone involved, including the development teams, proactively reflects about privacy.  

Depending on the size and maturity of the organization, governance will be implemented differently. In larger organizations, for instance, it is good practice to add privacy related items in change procedures. Establishing Privacy and Security (PrivSec) teams to address emerging privacy issues and providing privacy training at project kick-offs are tactics to further solidify the governance of privacy throughout the organization.  

What about the ROI 

Adopting Privacy by Design can pay off for businesses, as it’s about more than just avoiding the costs of data breaches. This approach leads to creating better, safer software that can even warrant higher prices because of better quality and security. Plus, it means businesses can keep better track of their operations and be more transparent, which is something regulators and customers appreciate.  

But there’s a bigger picture benefit too – it builds trust and reputation. Customers and employees alike feel good about being associated with a company that takes privacy seriously. In short, focusing on privacy from the start isn’t just the right thing to do; it’s smart business.  

Privacy Enhancement Technology (PETs) 

Privacy Enhancement Technologies (PETs) are innovative tools that bolster Privacy by Design, offering solutions that extend beyond privacy concerns to tackle other challenges. One example is the use of synthetic data, which replicates the properties of original datasets without compromising sensitive information, allowing for safe testing. On-device processing, on the other hand, enhances privacy while bringing the benefit of less use of computing power and battery life. UX (User eXperience) improvements also play a crucial role in Privacy by Design, with strategies like “just in time” notifications for privacy permissions, layered privacy policies that offer digestible information with in-depth options, and easy user controls for privacy settings.  

A sustained commitment with tangible benefits 

Nowadays, we can see several great instances of companies and organizations adopting Privacy by Design. It’s important to recognize, however, that Privacy by Design offers more benefits than just privacy protection. The secret to successfully implementing it lies in connecting it with these added advantages. Like Security by Design, it requires a sustained commitment. Success depends on the full engagement of the entire organization, particularly its leadership. When properly executed, making it a standard practice brings obvious advantages for all parties involved. 

Bart’s original presentation at the Application Security Experience Sharing Day can be found here.

(Visited 151 times, 1 visits today)

About the author

Jo De Brabandere is an experienced marketing & communications expert and strategist.