Enigma 2020

The concept of privacy by design (PbD) is more than 20 years old and a common element in both regulatory and technical discussions. While many strategies for Privacy by Design focuses on product development with a traditional waterfall-style methodology, today's current agile development process does not follow the historically clear cut and distinct design, planning, implementation, and release phases. Many privacy risk mitigation strategies are created for the waterfall-style methodology and focus on the planning phase. The implementation phase consists of taking the planned actions with the hopes that they are enough to avoid the identified risks.

In an agile methodology, software is released in an iterative and feedback-driven fashion, which emphasizes short development cycles, continuous testing, user-centricity and greater simplicity of design. Agile programming practices allow developers across services to continuously tweak, remove or add new features using "build-measure-learn" feedback loops. This includes experimental features, minimum viable products, and alpha releases. While agility requires quick software development sprints, privacy analysis is usually a slow and time-consuming activity. In addition, technical privacy assessments are based on the architectural description of the system, but in agile development, there is often no grand design upfront and the documentation is limited. It might be possible to assess the privacy readiness of each feature, but when these features are combined, there is no guarantee that the service itself or the entire supply chain that underlies it fulfills all the privacy requirements. The latter is the case due to modular micro-service oriented architectures that are favored in current-day software ecosystems.

In this talk, we will demonstrate an approach to technical privacy where privacy by design is applied in a hyper-connected service environment. We will walk through some of the principles coming from GDPR, industry standards such as ISO29100 and Data Protection Authority guidelines. We will also demonstrate how those principles can be applied to a complex agile environment.