A SaaS Platform for Privacy Management is Finally Here

The way we work, move around the globe, entertain, educate and affect social change is fueled by a ubiquitous flow of data and data-driven products. 

At the same time, we see fault lines forming between safety and individual autonomy; convenience and choice; ethics and urgency. The systems of law and international sovereignty can scarcely keep pace with technological change and the demands of new generations of digital natives who are hungry to have their digital cake and eat it, too.   

This complex, ever changing, multi-stakeholder and high-risk world is the realm of the Chief Privacy Officer. She is tasked with understanding individual employee and consumer rights, international legal regimes, technical capabilities and the financial realities required to drive the entire soft system that is data protection and privacy. It’s a lot.

Reimagining Privacy for the Modern Enterprise

When we talk to people who work in privacy – from CPOs to privacy engineers - we hear stories of communication failures, confusing product requirements, and ever-increasing pressure from regulators and board members to reduce the risk of collecting, managing and securing personal data. Often, we find ourselves vigorously nodding in agreement. That’s because we’ve both “sat in the chair,” leading privacy programs from the legal and technical sides. The pain points we hear are deeply familiar to us.  

We’ve stared into the void – and it is a void – searching for an enterprise solution to connect policy words, technology, law, reporting and governance. We searched for a platform that legal, technical and business teams understand and could actually use to build privacy into products and governance programs. For too long, the void stared back at us.

So we decided to fill the void (and then some) – by building a proactive, metrics creating platform that meets developers and privacy leaders where they are. Specifically, a solution that enables privacy teams to leverage the best ML/AI solutions to test assumptions and make standards-based recommendations.  And, to equip them to scale their work by having the most current regulatory standards at their fingertips. We wanted them to be able to break down complex requirements into intelligible chunks so that the right person can execute on them quickly and effectively. We believe privacy leaders and teams should be able to do all of this, and more. So that’s what we built: a platform to empower privacy experts to become more efficient, and for privacy novices to perform like experts. 

Why PrivacyCode?

PrivacyCode is the only SaaS platform that brings scale, efficiency, and accountability to privacy programs. Today, there is a chasm between the privacy teams who use words to create privacy policies and developers who use code to transform these policies into products. Simply put, they speak different languages.  

For decades these two essential stakeholders (and others across the enterprise who “own” aspects of privacy) have found themselves in endless meetings, struggling to create system requirements from legal documents, only to end up frustrated.  Correcting these requirements after systems are deployed or updated can be costly, time consuming, and failure prone. The cost of this inefficiency and miscommunication is real. Last year, Didi Global was hit with a breathtaking $1.2 billion fine, Sephora was fined $1.2m for breaking California’s privacy law, Weight Watchers suffered bloated liabilities from poor acquisition practices because the startup failed to build privacy in to protect children’s data. The list goes on.  

To address these growing risks and build a solution that would scale and iterate as the privacy landscape continues to change, we focused on building the PrivacyCode platform that is:

• Cloud-based and collaborative

• One-source of truth and proof

• Developer and privacy team friendly

• Engineered for the ethics of the modern enterprise 

In essence, these principles are the “code” that we use to guide us. In the process, we’ve created new ways to advance how people work with privacy, day to day. For instance:

• The Privacy Object TM Library provides out of the box instructions and translates privacy policies into consumable tasks for developers and project managers

• Machine Learning (ML) engine enables speed, automation and scale

• Embedded tools capture data, drive analytics, and generate reporting

There’s a lot more to know about what PrivacyCode can do – contact us for a demo.

We also think it’s important to say what PrivacyCode is not. Our solution is not a checklist. It’s not an assessment framework or data mapping tool. These are point solutions that only look at a piece of the privacy puzzle without connecting it to the larger privacy program, technical requirements, or reporting imperatives.  

Why a Platform?

Privacy programs today must scale. One-off, siloed projects in legal departments or technology teams, or in separate business functions fail to leverage previous knowledge and development work, and almost always result in costly gaps and lost productivity. And without an integrated workflow and view, it’s almost impossible for privacy leaders to provide metrics and demonstrate the progress of their program. This “proof gap” is something that plagues many privacy professionals.

What’s more, privacy is no longer the purview of a single person, be it a lawyer, privacy manager or a cybersecurity expert with “privacy” as a side job. Now, privacy touches all parts of an enterprise, from sales to marketing to supply chain to HR to IT. A comprehensive solution that enables each of these stakeholders to contribute to, and track a privacy program from their POV , is essential. PrivacyCode as a platform is the “spine” that connects the unique elements and various user personas of enterprise privacy into a single, simple to use system.   

Why Now?

Businesses are responsible for managing an avalanche of proprietary data. Yet the privacy protection “industry” is still in its infancy. As the ownership of privacy within large enterprises continues to shift from legal teams to a shared responsibility across teams and work streams – many who are new in the field - keeping track of the work and the evidence is critical. Toss in the explosion of remote work, complex governance, growing cyber threats, and enterprise customers who want to know if a company can prove it protects customer data, and it becomes clear that continuing to manage privacy like it’s 2010 is a massive risk.

In concert with a shifting privacy management landscape, C-suites and Boards of Directors are paying closer attention to what they spend on their privacy program and want evidence that risks are being managed efficiently. Successful and sustainable businesses know that it’s critical  to protect data, and act as its guardian and manage it as an asset.  

Where Are We Headed?

We’re pretty excited about what we’ve built with PrivacyCode. We uniquely understand the challenges facing privacy leaders and privacy engineers today and making their work easier – and protecting the private data of all people – is a mission we truly believe in. We also love the fact that our platform is a business enabler for our customers and creates real value for the enterprises that use our platform.

As the data privacy solutions market is poised for hypergrowth, we’re confident that PrivacyCode will be at the forefront of privacy innovation for a long time to come.  If you’d like to join us on our journey by becoming a PrivacyCode Design Partner to see firsthand how you can reduce privacy risk and accelerate teams across your enterprise, please contact us.

-----------------------------------

We agree, Adam!

PrivacyCode CEO Michelle Finneran Dennedy sat down with renowned consumer affairs advocate and serial entrepreneur, Adam Levin on his popular podcast “What the Hack with Adam Levin.”

As Adam writes in his blog, “Michelle Dennedy is to privacy what Einstein is to relativity but with the addition of rules that involve proper panty protocols. If there’s a new trend in identity-related criminal enterprise, she knows about it, has an opinion and can help guide you to a better place without getting got by it.”

Adam interviews Michelle about news from the Washington Post about data brokers selling highly sensitive mental health data of thousands of people with their personally identifiable information still attached (yikes!), and why privacy laws in the U.S. continue to suck.

Listen to the full episode below and check out Adam’s blog at https://adamlevin.com/.

PrivacyCode co-founder and CEO Michelle Finneran Dennedy joins Lenovo Late Night I.T host, Baratunde Thurston, and Beverly Jackson, Vice President of Brand and Product Marketing at Zillow, for a lively discussion on big data, how it's used, how it's abused, and what individuals can do to take ownership of their online identities.

“So my point is, technology is never neutral. It's either positive, or it's negative. And so even though we'll have more and more and more data processing capabilities, we have to constantly be mindful that context is constantly being a driver of what is it that we're collecting. How does that impact the human, that's just navigating our way as our little carbon spaceships?”

Watch the entire discussion below.

by Michelle Dennedy

From Decipher:

The idea that you can’t protect what you don't know you have is axiomatic in security and it applies not just to devices, but to the information an organization collects and stores. Knowing where user and customer data is, what it's used for and who can get to it and why are all difficult things to address.

"It’s not a tech problem, it’s a hard thing to overcome years of neglect. We’ve underestimated and underinvested in privacy for decades because privacy is just air and no one wants to invest in air," said Michelle Finneran Dennedy, co-founder of Privacy Code and co-author of The Privacy Engineer's Manifesto.

"Privacy is contextual and time based, it’s storytelling. If you haven’t built data intentionality and data flows, you get that answer that we don't know where things are."

PrivacyCode Co-founder & CEO, Michelle Dennedy is a guest on the Shifting Privacy Left podcast with host, Debra Farber. They discuss what a Software Bill of Materials is and why it is needed in privacy and Michelle’s advice for privacy engineers on how to use an SBOM.

“VCs are more of a mood than an algorithm” Michelle Dennedy, CEO & Co-founder

PrivacyCode CEO, Michelle Dennedy, keynotes at the 2022 ISACA IT Security and Risk Symposium conference. She highlights Wicked Privacy and the power of multi stakeholder requirements driving privacy engineering, building projects and systems to create value in the 21st century.

“Privacy is a strategic business enabler” - Michelle Dennedy, CEO & Co-founder of PrivacyCode

Building value in these turbulent economic times is more important than ever before. Data is central to driving decisions that matter to build trust, execute operations, and fulfill promises. Privacy and data protection is therefore central to those tasks.

“One of the best Keynotes ever...” -Sunny Jamwal, Director of CyberSecurity at Dash Hudson

by Ian Oliver, Distinguished Member of Technical Staff, Bell Labs

Finally, a solution to the biggest problem in privacy management!

In London, whenever you take the tube (the subway) you’ll notice a somewhat ominous recorded voice telling you to “mind the gap;” in other words to stay clear of the space between the platform and the train. Otherwise, ouch.

I thought of this the other day when someone asked me what I thought was most challenging for organizations when trying to build (or rebuild) a privacy program. I’m referring to the gap – Ok, let’s call it a chasm – between privacy legal and compliance experts who create policies and procedures, and the architects and engineers who must implement them within products, data management protocols and other activities that are core to doing business today.

To anyone who has worked on either end of a privacy team, the disconnect between those who create the policies and the engineers who must operationalize them is well-known, albeit not often openly discussed. Instead, endless meetings, email threads, and PowerPoint decks go back and forth, in a well-intended, but often futile attempt for these two very different sets of experts to get on the same page. This gap is much more than frustrating and inefficient – it can be costly and even dangerous when it involves protecting the private information of individuals. The damage goes beyond penalties. The business impact (often overlooked in media coverage), is significant. Months or years spent designing and launching products and data mining strategies that are then found to violate privacy regulations are sunk costs that could be avoided – if privacy is designed into products from the outset. And that means lawyers and developers need to communicate.

It’s not like these teams don’t want to talk to or understand each other. They just don’t know how. They speak different languages, and they are focused on different objectives - yet each is held responsible for the successful implementation of a sound privacy strategy that follows the law and will protect a company’s brand.

An old model for a new world

Historically, privacy programs were set up from a legal perspective; understand the regulations, write a policy, hand it off to others to implement and done.

This still-entrenched process was designed for a world that no longer exists. Today, personal data is the currency that drives revenue for most businesses. Understanding how this data is used and protected – and how systems are built to do so effectively – is essential for privacy and legal experts. The days of “we have our privacy policy, so we’re compliant,” are over.

As well they should be. Imagine if an architect only just designed a building, without understanding the engineering required to make that building safe. Rather, an architect designs with structure in mind, visits the building site, collaborates closely with the construction team, and ensures their original vision is implemented in a way that follows all the required regulations. When was the last time you saw a privacy lawyer sitting down with a programmer to understand the technical implementation of a policy? Thankfully, that’s starting to change.

Recently, I was pleased (and admittedly surprised) to see this excerpt from a privacy panel at the RSA Conference 2022. Chief Privacy Officers from some of the giants of tech, including Apple and Google, participated in a keynote panel. This excerpt from coverage of the event perfectly articulates where I believe we are today:

The role of engineers in actualizing the governance of privacy policies and procedures was also addressed in the session. Apple’s Horvath said that deep technical knowledge is critical to privacy, such as understanding databases. “The best friend a privacy person has in a company are security and privacy engineers,” she stated.

Enright concurred, commenting that:

“the privacy engineering function at Google is perhaps the most fundamental when I think about our product strategy. The way things are evolving is about more than meeting the requirements of changing laws.”

-James Coker, Infosecurity Magazine, “RSAC: The Growing Relevance and Challenges of Privacy”

In my mind, this demonstrates an awareness at the highest levels of some organizations that connecting the two ends of the privacy spectrum to manage the tsunami of data that is their bread and butter is imperative. So how exactly, can they do that? Where is the structure and tool that can get them there?

The bridge that closes the gap

Let’s be clear: lawyers are not about to become engineers, and vice-versa. However, each discipline can – and must – be able to see the bigger picture of what they are creating together and be able to collaborate throughout the process. To date, there has not been a practical and accessible way for them to do this.

The solution, in my mind, has always been a tool that is accessible for everyone involved in the process of planning and operationalizing a privacy program efficiently and without ambiguity. I believe Privacy Code and their SaaS platform does that-and in some pretty amazing ways. (Full disclosure: I am an Advisor to Privacy Code and honored to be one.)

There are many things to like about the Privacy Code platform and if you’d like to see how it works firsthand, contact the team. But at a very high level, I like the fact that it gives me a structure in which to operate. It lets me see – as an engineering/technical person – exactly what I need to do, and most importantly, why I am doing it. And it lets everyone move between looking at the project on a developer level and business level. This is so critical. As I said, these two domains see and think differently. But if you can give them a lens, as Privacy Code does, to see the same project through their specific needs, you save an enormous amount of time. And time, as we all know, is money.

There’s another reason that I think Privacy Code is the kind of solution the privacy world has been waiting for: this platform was built by two impressive entrepreneurs who know privacy. They’ve lived it, worked it, and one wrote the definitive book about it. They built something based on their own experiences as corporate executives and product leaders trying to bridge the gap between privacy teams and developers. Which is why it works.

Risk vs. Compliance: The Future of Privacy

I’ll sign off with a note about where I think we’re headed. Privacy regulation, laws and penalties are only going to increase. The use of consumer data for business is going to get more complex. So privacy teams within organizations need to quickly shift their mindset from one of “being compliant” to “managing risk.” This may sound subtle, but it’s actually a profound evolution from where privacy programs have historically been.

The risks and consequences that come with being entrusted with people’s personal data have never been greater, so making sure you have the right teams and the right tools to do so is critical. Once you do, the stress of having to “mind the gap” recedes and you can move forward with confidence.

Dr. Ian Oliver is a Distinguished Member of Technical Staff at Bell Labs working on Trusted and High-integrity Cyber Security applied to 5G and 6G mobile technologies, NFV, Edge and IoT devices with particular emphasis on the safety-critical domains, such as future railway, medical devices and medical systems.

He is the author of the book "Privacy Engineering: A data flow and ontological approach" and hold over 200 patents and academics papers.

The latest podcast episode by Silo Busting features a conversation between Michelle Dennedy, CEO of PrivacyCode and co-author of The Privacy Engineer's Manifesto and Sam Rehman, Chief Information Security Officer and SVP.  They discuss the importance of considering privacy and security in the context of Environmental, Social, and Governance (ESG) and bringing the human factor into ESG conversations. Michelle Dennedy defines privacy as “the authorized processing of personal or personally identifiable information according to moral, ethical, legal, and sustainable principles.” They also dove into the topic of the emotion of security, governance in the era of non-stop work from home video conferencing, and the new questions business leaders are asking. Listen to the podcast to discover more insights on the topic.

A Message from PrivacyCode President Kristy Edwards

Developers, development managers, privacy engineers, privacy attorneys — tell me the same story about the litany of meetings they have trying to translate all the words and policies of privacy requirements into something usable for engineers.

They’re all spending an enormous amount of time not writing code, designing new features, or doing legal work. They feel increasingly stuck in these discussions as new requirements emerge from regulators and customers, and they’re unable to focus on the work that fulfills them. I’ve been there.

I understand PrivacyCode customers because I’ve been in their shoes. I led privacy teams, security teams, and product teams, and I know why so many cross-functional privacy efforts struggle to gain traction. Privacy work only moves forward when engineers and lawyers are able to communicate effectively with each other, and when product teams truly understand end-users. Until now there hasn’t been a single solution that could effectively bring all these disciplines together under the same set of expectations, metrics, and goals.

Developers want to do the right thing, to write code that enforces data minimization, consent, and responsible sharing, but legal policies don’t often specify how to do that. Every team involved in privacy work needs someone to show them using language, tools, and context they understand. Legal and governance teams usually explain policy and law with words, but engineering systems are driven by code. To move forward, privacy needs a translator.

My co-founder Michelle and I are building what we wish we’d had as privacy and product executives — a solution to bridge the gap between privacy policies and actual code.

PrivacyCode is a SaaS platform with a translation engine that turns complex privacy policies into a language developers understand, using agile methodologies. It provides context in a world they already know and integrates with tools they already use. This is the future of privacy engineering.

Wed Jul 06 2022 - PrivacyCode

Last week, PrivacyCode was recognized for its pioneering work in the field of privacy engineering. Presented by the Rise of Privacy Tech at their inaugural 2022 Summit, PrivacyCode was one of 8 privacy-forward start-ups to win a distinction. After taking an opportunity to celebrate, PrivacyCode Co-Founders Kristy Edwards and Michelle Dennedy spoke about the future of privacy tech and the role that PrivacyCode is playing in laying the groundwork for a more private Silicon Valley.

This award cements the influence and potential of privacy tech start-ups, and displays the value that consumers and developers see in innovations that push the boundaries of privacy. We are deeply grateful to TROPT for organizing this year’s Summit, and we’re already excited to attend next year.