Privacy Best Practices for Developers

Written by

The right to privacy is guaranteed by the US constitution, but a certain government contractor leaked information that made it clear that the government had its own version of privacy. This led the public to become more wary about the collection and use of its data. Last year’s record number of data breaches furthered concerns about the safety of one’s online data, and this year’s Ashley Madison breach gave the firm impression that user data is neither private nor secure.

Concerns about data collection are rising, both from a user and a collector point of view. End users, whether they are employees or customers, are requesting a higher level of respect towards their privacy and putting forward more questions as to how and why their personal data is handled.

Website and application developers must be aware of these growing concerns and take appropriate steps to address them from the ground up, building best practices in privacy into the products and services they provide.

The Ponemon Institute’s Security in the New Mobile Ecosystem report found that only 36% of IT and information security professionals believed their budgets were big enough to securely manage mobile devices. So, faced with budget constraints, how can you make the most effective use of limited funds?

1.  Transparency with End Users

Users can become wary quite quickly if an app requests information that doesn’t seem to be related to the app’s main functionality. An example of this is the request for a date of birth. A user may be unwilling to blindly hand out such a personal bit of data, particularly when that bit of data—in the wrong hands—can be used for fraud. But if you explain that this data will be used to send out a special birthday coupon each year, users are much more likely to share their information.

2. Training for Employees

The majority of breaches happen because an employee inadvertently opened a security door due to lack of appropriate training. The solution here may seem straightforward: improving security training amongst employees within your organization, ranging from basic password guidelines to restricted access policies. However, businesses are facing the issue that employees do not always apply what is learned during training, even less so when carried out through an online platform.

One effective approach is to use a relatable approach using classic storytelling techniques specific to your audience, as well as workshops to involve your employees as an integral part of your privacy solution.

3. Auditing and Assessing

A best practice is to take a good look at how your company is managing data, whether collected internally or through your apps.

At an organizational level

An audit of your privacy policies and processes is a good idea. An audit will usually try to understand how the data that your business is collecting flows between different geographical regions and divisions. When looking at the results of the audit, it will be clear where the pain points are and which actions should be taken. Should you undergo Safe Harbor Certification? Should you update your privacy policy (or, if you do not have one, what should your privacy policy state)?

Rather than trying to take all the information in at once, start by analyzing the data flow within each department separately.

On the app’s front-end

Did you integrate privacy from the outset of the app build process? Is your app privacy-friendly? Are your “privacy” notifications (request of collection of location, access to contacts, etc.) invasive and disruptive to the user journey?

Via a strong UX/UI review combined with an audit of data collection, you could improve your users’ experience in a straightforward manner. Be transparent about your data usage without being invasive to help increase user engagement and retention.

4. Governance and Risk

It can take some sorting out to understand whether your privacy and security initiatives are proportionate to the risks that your business is facing. Business-minded people will always be more inclined to take a more risky approach for the sake of business innovation. And this is fine.

5. Examine and Revise Privacy and Security Policies

Your privacy policy could quickly become outdated in this hyper-connected world where speed is of the essence and change is seemingly nonstop. It is time to rethink your privacy policies.

At an organizational level

Pick a member of your team to be in charge of verifying whether the privacy policy needs to be updated on an annual basis. Long gone are the days when privacy policies were written once to check a box on the list. They are now a tool empowering you to understand your business better.

On the app’s front-end

Most people can’t be bothered to read privacy policies—which is ironic, since the issue raises such concern. If you want your users to read it, we recommend you make it as visual and interactive as possible.

Ongoing Effort

It’s important to meet the legal requirements that govern app development, but stopping there could be a mistake in terms of increasing security while creating improved user experiences. To do these well, determine the categories of data you want to protect, including employee, business customer, users, non-personal business confidential, IP and so on. Next, determine the sensitivity level of each category and implement the appropriate preventive actions and safeguards.

Make sure your employees are well versed in your security policies and procedures and that end users understand why you are asking for certain types of data. Finally, continue this good effort by appointing one person to keep policies updated on at least a yearly basis.

What’s hot on Infosecurity Magazine?