Digital Products, Privacy by Design
Data is the life blood of digital products. Sadly, it's also a currency for cyber criminals, resellers and other abusers. Data breaches are in the news every so often, but cybercrime is a major concern for all organisations. That’s why we aim to protect users’ privacy as much as we can. Organisations should handle data with care and respect by being transparent, asking for consent and using non-intrusive tracking.
When is a product private by design?
Privacy by Design is an approach to systems engineering which means that privacy is part of the Definition of Done. It should be a key consideration when setting up tooling and architecture, writing a user story and building or improving a feature. In the final product, we measure Privacy by Design by checking whether:
It only uses privacy friendly tracking software.
Tracking is only allowed after cookie consent, or is completely anonymised. For example, IP addresses are partially masked and location data is broadly scoped (regional or even countrywide).
The user can inspect their cookie settings, get understanding about their usage and deny them. The user experience when cookies are denied should be as smooth as possible, without ‘penalising’ users with broken buttons or media.
Data is stored securely and industry standards and guidelines have been followed or implemented with regards to personal data and how it is accessed, stored and handled.
The OWASP Top 10 Privacy Risks are consulted and policies are documented, and/or technical measurements are taken to mitigate them.
Want to know more about privacy by design?
Making an impact on privacy
How can you make a digital product with a focus on privacy and implement all the soft and hard requirements of a "Privacy by Design" product?
Privacy starts with security. Storing data (files, or a database) on a ISO27001 or SOC 1 or SOC 2 compliant resource is part of this, too. Educate content editors and admins in security measurements (and perhaps your users too). Private data will be harder to steal and phishing or other attacks are harder to execute.
Give users control. In most cases, using the larger part of a website doesn’t require cookies. Consider asking for consent the moment your users are actually using 3rd party cookies elements on your website, like watching a YouTube video. This way you’ll ask for fine grained consent at the right time, and prevent having a user unfriendly cookie banner.
Respect GDPR regulations. Obviously.
Collect only the data you need. If someone signs up for an on-site event, do you need their address? If someone books a hotel room, do you need to ask for gender? If you use analytics for user insights do you need their IP-address? Does anyone ever need a birth date? There are lots of privacy friendly alternatives to Google Analytics. And in our experience asking for less data creates less thresholds, which leads to higher conversion.
That said, getting 'everything' right can be a daunting task. We can help you get set up and consult you on the most impactful decisions and improvements to your product.
Up to 10% impact discount!
We’d love to help you make an impact. If you commit to building your digital product with privacy by design, you’re eligible for our impact discount. Want to know more?